# Questions about proper jail and setup



## atmosx (Jan 23, 2014)

Hello,

I'm running two websites using Nginx + MySQL. The one is Ruby based running via unicorn (nginx as proxy) and the second is going to be a Wordpress installation (PHP). I have built a jail in which I'd like to host my websites. Jail networking works only binaries and configuration files needs to be installed now. So I have a couple of questions.

* Should MySQL run on the jail or no? Should everything that can be compromised run on the jail?
* Should the jail have GCC (or cc) installed?
* Should I use ports or only _host_ pre-compiled packages?

Best regards,


----------



## SirDice (Jan 23, 2014)

atmosx said:
			
		

> * Should MySQL run on the jail or no? Should everything that can be compromised run on the jail?


It depends on your criteria. But you could create another jail specifically for MySQL.



> * Should the jail have GCC (or cc) installed?


Ideally production systems should not any have kind of compilers. A compiler on the system would only make it easier for a potential attacker to compile code specific for your system. This can also be done 'off-site' but you don't want to give your attackers tools to beat you with. 



> * Should I use ports or only _host_ pre-compiled packages?


I'd use packages, built on my own repository. If only because building ports takes quite a bit of time and could render the system unusable until everything is built. Installing or upgrading packages only takes a couple of minutes. And because of the lack of a compiler (see previous point) building ports is going to be tricky.


----------

