This one time, at band camp, Erik de Castro Lopo wrote: >Voytek Eymont wrote: > >> thanks, Andrew >> >> unfortuantly, it seems my user does have vulnerable version of Joomla... >> clearly he is not following Mambo/Joomla advisories... > >If you allow your users to install their own versions of X, then >your distribution's patching mechanism is bypassed and you have >no way of easily keeping up to date with patches. > >One way of dealing with this is to make each user run in a >chroot/UML/Xen/whatever instance so that when their environment >is compromised it only affects them and not everyone else on >the machine.
chroot/UML/Xen is not the hammer for this screw :) Anchor has survived for 6 years without a root compromise, allowing customers to install their own buggy unpatched versions of code, and all running on an unvirtualised machine. You can add yourself the overhead of Xen for a shared hosting environment, but it's not necessary when you take the time to use a simple privilege separation technique, e.g. mod_suexec. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html