1 |
Hi, |
2 |
|
3 |
On Tue, 25 Jul 2006 19:33:29 +0200 |
4 |
Jarry <jarry@×××.net> wrote: |
5 |
|
6 |
> Hans-Werner Hilse wrote: |
7 |
> |
8 |
> > This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK. |
9 |
> > Like most of the other standard internet services. You would have to |
10 |
> > setup a chroot env (all dependant libraries and stuff) for that. But |
11 |
> > there's nothing similar to a chroot automatic in apache. BTW, such a |
12 |
> > thing would probably break all CGIs. |
13 |
> |
14 |
> I got this idea reading "Securing & Optimizing Linux 3.0", where |
15 |
> apache and php is running in chroot (+ a few more services like |
16 |
> ssh, snort, ntp, bind, dhcp, ldap, mod_perl). |
17 |
> |
18 |
> Unfortunatelly, the book is a little out-of-date, and it is not |
19 |
> easy to apply it to gentoo. But I think running apache+php+mod_perl |
20 |
> in chroot would be definitelly nice feature... |
21 |
|
22 |
Yes, certainly. There is a difference, though, between programs that |
23 |
have chroot-functionality built-in and those you need to setup a chroot |
24 |
jail for. I thought you were asking for the former. In fact, you can |
25 |
setup any application to run chroot'ed. But in order to do this, you |
26 |
need to setup a "jail". That would include needed libraries and |
27 |
configuration and data. Then you can use that as a chroot jail for the |
28 |
application by running it via the chroot executable (man 1 chroot). |
29 |
|
30 |
OTOH, there are programs that chroot themselves. They call chroot() |
31 |
(man 2 chroot) after reading configuration and such restrict their own |
32 |
filesystem namespace to just the needed excerpt with the data files. So |
33 |
if an attacker injects code, it cannot access most parts of the |
34 |
filesystem. |
35 |
|
36 |
For Apache there's always the first option, to setup a jail. There's |
37 |
app-misc/jail to support that task. When finished, you would have to |
38 |
edit apache's init.d script in order to call |
39 |
"chroot /jail/usr/bin/httpd2-prefork" instead of |
40 |
"/usr/bin/httpd2-prefork" (just an example, I didn't check the init.d |
41 |
file). |
42 |
|
43 |
-hwh |
44 |
-- |
45 |
gentoo-user@g.o mailing list |