FAQ
Should this go somewhere on perl.apache.org? We don't have a section on
securing apps, may be one needs to be started?

I've forwarded the two relevant messages from the users list

-------- Original Message --------
Subject: FYI: AppArmor - makes mod_perl/mod_php safer on linux
Date: Fri, 07 Apr 2006 17:09:20 -0700
From: Stas Bekman <stas@stason.org>
Organization: Hope, Humanized
To: mod_perl Mailing List <modperl@perl.apache.org>

I was just at cansecwest (http://cansecwest.com/) here in Vancouver, and
went to a talk by Crispin Cowan from Novell. He presented AppArmor which
confines the application into a restricted mode (which files it can access
and what it can and cannot do). Unlike jail/chroot AppArmor allows you to
provide different profiles per script, so it might be very useful to ISPs
which need to protect one user from another. It works as a linux security
module (LSM) so there is very little overhead and no need to patch your
kernel.

I haven't used it myself, but I think some of the mod_perl users can
benefit from it. I don't know why Novell folks didn't announce it to this
list.

more info at:
http://www.novell.com/products/apparmor/
http://www.novell.com/documentation/apparmor/
mod_perl is specifically mentioned on page 4 at:
http://www.novell.com/collateral/4821055/4821055.pdf

-------- Original Message --------
Subject: Re: AppArmor - makes mod_perl/mod_php safer on linux
Date: Mon, 10 Apr 2006 14:31:13 +0200
From: Clinton Gormley <clint@traveljury.com>
To: Jonathan Vanasco <jon@2xlp.com>
CC: mod_perl Mailing List <modperl@perl.apache.org>
References: <4436FF30.2060906@stason.org>
<012601c65bb4$658a2130$960b0a0a@thoughtworthy.internal>
<3D6FCB29-B601-4E29-8BBD-DF6BE046539F@2xlp.com>
On Sun, 2006-04-09 at 13:45 -0400, Jonathan Vanasco wrote:
On Apr 9, 2006, at 5:02 AM, Kevin A. McGrail wrote:

I'm under the impression that this is the same as SELinux
(http://www.nsa.gov/selinux/info/faq.cfm)
SELinux is at the kernel level + a few libraries, and from what i
read appArmor is just a library
No, appArmor plugs into the kernel via LSM (Linux Security Modules),
which SELinux uses as well. It is really impressive. Have a look at this
demo (272 meg of video!)
ftp://ftp.belnet.be/pub/mirror/FOSDEM/FOSDEM2006-apparmor.avi

It is easy to configure, adds little overhead, and allows you to build
security profiles on the fly. Also, it adopts the
deny-all/allow-required approach, rather then allow-all,
deny-this-that-and-the-other-thing.

Also, (and I forgot the details) but I'm pretty sure it allows you to
separate permissions for different perl scripts running under mod-perl.

clint


--
_____________________________________________________________
Stas Bekman mailto:stas@stason.org http://stason.org/
MailChannels: Assured Messaging(TM) http://mailchannels.com/
The "Practical mod_perl" book http://modperlbook.org/
http://perl.apache.org/ http://perl.org/ http://logilune.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-dev-unsubscribe@perl.apache.org
For additional commands, e-mail: docs-dev-help@perl.apache.org

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 1 | next ›
Discussion Overview
groupdocs-dev @
categoriesmodperl, perl
postedApr 11, '06 at 1:37a
activeApr 11, '06 at 1:37a
posts1
users1
websiteperl.apache.org

1 user in discussion

Stas Bekman: 1 post

People

Translate

site design / logo © 2017 Grokbase