i'm putting a machine into production in the next week or two that uses binary CGI "scripts". i want to add additional layers of security beyond having apache chroot-ed in case the binaries decide to run amok. things that occur to me as a good idea are systrace and sbox (see http://stein.cshl.org/software/sbox/ ), but i don't have much experience with either of these.
if anyone has experience with either of these two solutions in production, i would appreciate being informed about such. this machine will be colocated so i'm very keen on having everything worked out before it goes into production. feel free to contact me off-list if you like. cheers, jake
