Should this go somewhere on perl.apache.org? We don't have a section on
securing apps, may be one needs to be started?

I've forwarded the two relevant messages from the users list

-------- Original Message --------
Subject: FYI: AppArmor - makes mod_perl/mod_php safer on linux
Date: Fri, 07 Apr 2006 17:09:20 -0700
From: Stas Bekman <stas@stason.org>
Organization: Hope, Humanized
To: mod_perl Mailing List <modperl@perl.apache.org>

I was just at cansecwest (http://cansecwest.com/) here in Vancouver, and
went to a talk by Crispin Cowan from Novell. He presented AppArmor which
confines the application into a restricted mode (which files it can access
and what it can and cannot do). Unlike jail/chroot AppArmor allows you to
provide different profiles per script, so it might be very useful to ISPs
which need to protect one user from another. It works as a linux security
module (LSM) so there is very little overhead and no need to patch your

I haven't used it myself, but I think some of the mod_perl users can
benefit from it. I don't know why Novell folks didn't announce it to this

more info at:
mod_perl is specifically mentioned on page 4 at:

-------- Original Message --------
Subject: Re: AppArmor - makes mod_perl/mod_php safer on linux
Date: Mon, 10 Apr 2006 14:31:13 +0200
From: Clinton Gormley <clint@traveljury.com>
To: Jonathan Vanasco <jon@2xlp.com>
CC: mod_perl Mailing List <modperl@perl.apache.org>
References: <4436FF30.2060906@stason.org>
On Sun, 2006-04-09 at 13:45 -0400, Jonathan Vanasco wrote:
On Apr 9, 2006, at 5:02 AM, Kevin A. McGrail wrote:

I'm under the impression that this is the same as SELinux
SELinux is at the kernel level + a few libraries, and from what i
read appArmor is just a library
No, appArmor plugs into the kernel via LSM (Linux Security Modules),
which SELinux uses as well. It is really impressive. Have a look at this
demo (272 meg of video!)

It is easy to configure, adds little overhead, and allows you to build
security profiles on the fly. Also, it adopts the
deny-all/allow-required approach, rather then allow-all,

Also, (and I forgot the details) but I'm pretty sure it allows you to
separate permissions for different perl scripts running under mod-perl.


Stas Bekman mailto:stas@stason.org http://stason.org/
MailChannels: Assured Messaging(TM) http://mailchannels.com/
The "Practical mod_perl" book http://modperlbook.org/
http://perl.apache.org/ http://perl.org/ http://logilune.com/

To unsubscribe, e-mail: docs-dev-unsubscribe@perl.apache.org
For additional commands, e-mail: docs-dev-help@perl.apache.org

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 1 | next ›
Discussion Overview
groupdocs-dev @
categoriesmodperl, perl
postedApr 11, '06 at 1:37a
activeApr 11, '06 at 1:37a

1 user in discussion

Stas Bekman: 1 post



site design / logo © 2018 Grokbase