当您运行完整的沙箱环境时，Chroot jail可能真的不安全。攻击者可以完全访问内核功能，例如可以安装驱动器来访问主机系统。

我建议您使用linux-vserver。你可以看到linux-vserver是一个改进的chroot***，里面有一个完整的debian安装。它是一个非常快的，因为它运行在一个单一的内核，所有的代码执行是一个本机。

我个人使用linux-vserver来分离我所有的服务，只有几乎不显着的性能差异。

查看 linux-vserver wiki 安装说明。

regards，Dennis

I have Apache running on a public-facing Debian server, and am a bit worried about the security of the installation. This is a machine that hosts several free-time hobby projects, so none of us who use the machine really have the time to constantly watch for upstream patches, stay aware of security issues, etc. But I would like to keep the bad guys out, or if they get in, keep them in a sandbox.

So what's the best, easy to set up, easy to maintain solution here? Is it easy to set up a user-mode linux sandbox on Debian? Or maybe a chroot jail? I'd like to have easy access to files inside the sadbox from the outside. This is one of those times where it becomes very clear to me that I'm a programmer, not a sysadmin. Any help would be much appreciated!

Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.

I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code execution is one natively.

I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.

Have a look at the linux-vserver wiki for installation instructions.

regards, Dennis