jails Web server and MySQL Database inside one or two jails?

HL1234

HL1234

Hello, I've got a short question:

I like to run a Web server with a MySQL Database for an WCMS like Joomla! (WCMS = Web Contend Management System: written in PHP and it uses a MySQL Database). The database server will be for nothing else used on the FreeBSD server. There is only one web server and one user (me) which will configure the database for that.

So my question is: should I put both (Apache and MySQL DB) together in one jail?
Or should I better, for security reasons, put both in two separate jails?

What are the advantages and disadvantages of both concepts?
Thanks for an answer.
 
Last edited:
I use a separate jail for DB.
Sometimes you will configure another site in 3rd jail and with the separate DB you will not have crazy jail dependencies.
It will be possible to shutdown only site specific jail without the database (for example for upgrade or maintenance).
You will have some minor overhead like one more jail for DB. But it may provide some benefits in close future.
 
There's no right or wrong. It's more a question how you design and cut your system boundaries.

If the DBMS (not just the database, really the service providing DB access) is considered part of your "software system", having it in the same jail comes naturally, reducing external dependencies of that system, or, making it more "self-contained". It won't be a relevant security gain to have a second jail if all data is owned by your application anyways (so, it has access to it).

If, OTOH, you design your DBMS as some "shared infrastructure resource" (so, once you want to deploy a different software system needing a database, you don't want to bundle a second DBMS with that), then it should live in its own jail to avoid scenarios where an attacker can suddenly access even the data of other systems, just by obtaining "local root" in your jail.

I personally prefer the first approach (which in practice means I have several jails by now, ALL running an instance of MySQL).
 
zirias@ said:
.... It won't be a relevant security gain to have a second jail if all data is owned by your application anyways (so, it has access to it).
Click to expand...
I think that is the answer I have searching for. Although I sometimes like to make things more complicated it is not necessary if I get not more security for it - thanks.
 
You must log in or register to reply here.
Back
Top