Re: [mod-security-users] SecChrootDir - RH 8.0, Apache 2.0.40, and PHP 4.2.2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

L. Christopher Luther wrote:
> I've never tried a chroot() operation before, so go easy on me.  
> 
> My apache configuration (Red Hat 8.0 distribution) is as follows:  
> 
> ...
> 
> So, how do I SecChrootDir this mess?  
> 
> Should I simply move the entire /var/www to /chroot/var/www

  Yes.

> and also create
> /chroot/var/run

  Might not be necessary. Probably will be if you are also using mod_ssl
  because it creates new files at runtime.

> and /chroot/var/log/httpd directories?

  No, the logs can stay where they are.

> Will the symlinks to
> the /var/log/httpd and /var/run folders mess things up?  

  Not for the log files, probably for the files in /var/run
  generated after the chroot. I've never tried to create a
  symlink out of a jail though, could be wrong.

> And finally (I hope), what about the various scripts (e.g.,
> /etc/rc.d/init.d/httpd) and logrotate configuration (/etc/logrotate.d/httpd)
> files?  

  Log rotation will be fine, but the graceful restart won't work
  (that is one of the drawbacks of this method of chrooting).

> I should also note that this particular web site used PHP and MySQL access
> through PHP extensively.  Will the forked httpd processes still be able to
> access PHP?

  Yes. You didn't say whether you have anything running out of the
  cgi-bin? Whatever is in there (if anything) will probably need some
  runtime libraries too.

> In Red Hat 8.0 PHP (4.2.2) is handled through Apache (2.0.40)
> input/output filters -- the mod_security way of configuring for PHP (i.e.,
> AddHandler application/x-httpd-php .php) doesn't seem to work with this
> particular match-up of Apache and PHP.  

  This is not related to mod_security, but I think it would be better
  to upgrade both Apache and PHP to latest versions. Earlier versions
  are generally know to have problems (eg the apache2filter PHP
  interface was abandoned for that very reason).

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]