Re: [mod-security-users] Using SecChrootDir Directive

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Lee Mehlhorn wrote:
> 
> I'm running Apache 2.0.53 using mod_security 1.8.7.  I've installed 
> modsecurity successfully and it seems to be working using a very simple 
> ruleset on my test box.
> 
> Apache Installation:  /usr/local/apache
> Document Root: /webs
> Apache Logs: /webs/logs
> 
> Setting up SecChrootDir  /chroot/apache
> Okay, this is probably the part I'm confused about, setting up the 
> directories underneath the /chroot directory.   Do I symbolic links to 
> the apache install directory for each subfolder?  what do I do about my 
> document root and or logs directory?  Should I use symbolic links for 
> them as well?

   You could put your document root into the jail:

   cd /
   mv /webs /chroot/apache/webs
   ln -s /chroot/apache/webs

   and try with:

   SecChrootDir /chroot/apache

   Everything else can remain outside jail but there are consequences
   (e.g. you won't be able to restart Apache, just stop-start it).

   You will probably need to have /chroot/apache/usr/local/apache/logs
   too, as Apache 2 attempts to create some files after the chroot
   and that's the default directory for them.

   There's extensive documentation available here:
   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org