Web Server in a Sandbox
A web server and related services as a database server shall run in jailed environments, so that they have no or or only limited access to other processes or filesystem paths of the operating system.
There are different methods to get a sandbox environment. Here, we use the Firejail Security Sandbox, which allows to assign a private sealed scope to a service and all associated processes; this includes resources like network access, process table or filesystem. Therewith, the service only sees its own processes and can only access the part of the filesystem that has been assigned tio it.