Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Hans-Werner Hilse <hilse@×××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] apache/php: chroot?
Date: Tue, 25 Jul 2006 19:18:44
Message-Id: 20060725211507.48ae5e3a.hilse@web.de
In Reply to: Re: [gentoo-user] apache/php: chroot? by Jarry
1 Hi,
2
3 On Tue, 25 Jul 2006 19:33:29 +0200
4 Jarry <jarry@×××.net> wrote:
5
6 > Hans-Werner Hilse wrote:
7 >
8 > > This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK.
9 > > Like most of the other standard internet services. You would have to
10 > > setup a chroot env (all dependant libraries and stuff) for that. But
11 > > there's nothing similar to a chroot automatic in apache. BTW, such a
12 > > thing would probably break all CGIs.
13 >
14 > I got this idea reading "Securing & Optimizing Linux 3.0", where
15 > apache and php is running in chroot (+ a few more services like
16 > ssh, snort, ntp, bind, dhcp, ldap, mod_perl).
17 >
18 > Unfortunatelly, the book is a little out-of-date, and it is not
19 > easy to apply it to gentoo. But I think running apache+php+mod_perl
20 > in chroot would be definitelly nice feature...
21
22 Yes, certainly. There is a difference, though, between programs that
23 have chroot-functionality built-in and those you need to setup a chroot
24 jail for. I thought you were asking for the former. In fact, you can
25 setup any application to run chroot'ed. But in order to do this, you
26 need to setup a "jail". That would include needed libraries and
27 configuration and data. Then you can use that as a chroot jail for the
28 application by running it via the chroot executable (man 1 chroot).
29
30 OTOH, there are programs that chroot themselves. They call chroot()
31 (man 2 chroot) after reading configuration and such restrict their own
32 filesystem namespace to just the needed excerpt with the data files. So
33 if an attacker injects code, it cannot access most parts of the
34 filesystem.
35
36 For Apache there's always the first option, to setup a jail. There's
37 app-misc/jail to support that task. When finished, you would have to
38 edit apache's init.d script in order to call
39 "chroot /jail/usr/bin/httpd2-prefork" instead of
40 "/usr/bin/httpd2-prefork" (just an example, I didn't check the init.d
41 file).
42
43 -hwh
44 --
45 gentoo-user@g.o mailing list
Report Message
Find on MARC Find on Google Groups