Thread: [mod-security-users] SecChrootDir in vhost?

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] SecChrootDir in vhost?

From: Rocky O. <ro...@mi...> - 2005-03-24 04:11:01

Are there any plans for adding SecChrootDir directive to <VirutalHost>'s?



--=20
______________________________________________________________________


what's with today, today?

Email:	ro...@mi...
PGP:	http://rocky.mindphone.org/rocky_mindphone.org.gpg

Re: [mod-security-users] SecChrootDir in vhost?

From: Ivan R. <iv...@we...> - 2005-03-27 16:10:45

Rocky Olsen wrote:
> Are there any plans for adding SecChrootDir directive to <VirutalHost>'s?

   No, because it's not possible. Chroot is an irreversable process, and
   all Apache children must be capable of serving any of the virtual
   hosts in the configuration.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Re: SecChrootDir in vhost?

From: Rocky O. <ro...@mi...> - 2005-04-01 10:07:15

Herm, Bugger.

Well i guess the question to be asked is, does anyone know of a way to
chroot apache inside <VirutalHost>'s. Say when a connection comes in for a
vhost and the parent process spawns the child to handle it, that child
chroot's itself in the vhost's directory?

realize it's a bit off topic for this list, but might as well ask.

-Rocky



--=20
______________________________________________________________________


what's with today, today?

Email:	ro...@mi...
PGP:	http://rocky.mindphone.org/rocky_mindphone.org.gpg

Re: [mod-security-users] Re: SecChrootDir in vhost?

From: Ivan R. <iv...@we...> - 2005-04-04 08:49:30

Rocky Olsen wrote:
> Herm, Bugger.
> 
> Well i guess the question to be asked is, does anyone know of a way to
> chroot apache inside <VirutalHost>'s. Say when a connection comes in for a
> vhost and the parent process spawns the child to handle it, that child
> chroot's itself in the vhost's directory?

   For that to happen you would need to run Apache as root, perform
   chroot and suid on every request, and configure children to die
   after serving only one request. It's perfectly possible, but would
   probably suffer a performance penalty. There are suid modules
   around, but I haven't heard of one that allows chroot too.

   But you can do the following:

   Run a separate Apache instance for each <VirtualHost>, chrooted
   and running as the user. Install one Apache instance in front
   and use it as a reverse proxy. This is a very secure and flexible
   solution but it requires a lot of memory. It is thus only suitable
   when there is a small number of virtual hosts.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org