2013-11-08, 01:02:27
Well he is correct, you typically want to put any writable data outside of your webspace in a chroot jail.
This basically protects you against the chance that someone manages to find a hole to upload a shell, if it is not in the webroot there is much less of a chance of it being successfully executed over the web after infection.
This comes down to having "absolute security" in that you can never predict every vector of attack or future attacks, and that protecting your data folders with rules can never be 100% secure in theory, because you can not cover situations that do not exists yet or are unknown.
So the safest bet is the only way to have the best security.
This basically protects you against the chance that someone manages to find a hole to upload a shell, if it is not in the webroot there is much less of a chance of it being successfully executed over the web after infection.
This comes down to having "absolute security" in that you can never predict every vector of attack or future attacks, and that protecting your data folders with rules can never be 100% secure in theory, because you can not cover situations that do not exists yet or are unknown.
So the safest bet is the only way to have the best security.