Thread: [mod-security-users] SecChrootDir in vhost?
Brought to you by:
victorhora,
zimmerletw
From: Rocky O. <ro...@mi...> - 2005-03-24 04:11:01
|
Are there any plans for adding SecChrootDir directive to <VirutalHost>'s? --=20 ______________________________________________________________________ what's with today, today? Email: ro...@mi... PGP: http://rocky.mindphone.org/rocky_mindphone.org.gpg |
From: Ivan R. <iv...@we...> - 2005-03-27 16:10:45
|
Rocky Olsen wrote: > Are there any plans for adding SecChrootDir directive to <VirutalHost>'s? No, because it's not possible. Chroot is an irreversable process, and all Apache children must be capable of serving any of the virtual hosts in the configuration. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
From: Rocky O. <ro...@mi...> - 2005-04-01 10:07:15
|
Herm, Bugger. Well i guess the question to be asked is, does anyone know of a way to chroot apache inside <VirutalHost>'s. Say when a connection comes in for a vhost and the parent process spawns the child to handle it, that child chroot's itself in the vhost's directory? realize it's a bit off topic for this list, but might as well ask. -Rocky --=20 ______________________________________________________________________ what's with today, today? Email: ro...@mi... PGP: http://rocky.mindphone.org/rocky_mindphone.org.gpg |
From: Ivan R. <iv...@we...> - 2005-04-04 08:49:30
|
Rocky Olsen wrote: > Herm, Bugger. > > Well i guess the question to be asked is, does anyone know of a way to > chroot apache inside <VirutalHost>'s. Say when a connection comes in for a > vhost and the parent process spawns the child to handle it, that child > chroot's itself in the vhost's directory? For that to happen you would need to run Apache as root, perform chroot and suid on every request, and configure children to die after serving only one request. It's perfectly possible, but would probably suffer a performance penalty. There are suid modules around, but I haven't heard of one that allows chroot too. But you can do the following: Run a separate Apache instance for each <VirtualHost>, chrooted and running as the user. Install one Apache instance in front and use it as a reverse proxy. This is a very secure and flexible solution but it requires a lot of memory. It is thus only suitable when there is a small number of virtual hosts. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |