* [gentoo-user] apache/php: chroot? @ 2006-07-23 16:16 Jarry 2006-07-24 19:42 ` Alex 0 siblings, 1 reply; 5+ messages in thread From: Jarry @ 2006-07-23 16:16 UTC (permalink / raw To: gentoo-user Hi, Recently I installed bind, which supports chrooting "right of the box". Very nice feature, I was positively surprised... Now my question is: does apache/php support chrooting too? And are there some other services, which can be chrooted like bind? Jarry -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot? 2006-07-23 16:16 [gentoo-user] apache/php: chroot? Jarry @ 2006-07-24 19:42 ` Alex 2006-07-25 11:18 ` Hans-Werner Hilse 0 siblings, 1 reply; 5+ messages in thread From: Alex @ 2006-07-24 19:42 UTC (permalink / raw To: gentoo-user Hi, On Sun, Jul 23, 2006 at 06:16:23PM +0200, Jarry wrote: > Hi, > > Recently I installed bind, which supports chrooting > "right of the box". Very nice feature, I was positively > surprised... > > Now my question is: does apache/php support chrooting too? > And are there some other services, which can be chrooted > like bind? should work without any problems, like the most of the other standard internet services. try and have a look ;-) greetz alex -- * IMPORTANT: 217 config files in /etc need updating -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot? 2006-07-24 19:42 ` Alex @ 2006-07-25 11:18 ` Hans-Werner Hilse 2006-07-25 17:33 ` Jarry 0 siblings, 1 reply; 5+ messages in thread From: Hans-Werner Hilse @ 2006-07-25 11:18 UTC (permalink / raw To: gentoo-user Hi, On Mon, 24 Jul 2006 21:42:46 +0200 Alex <alex@zengers.de> wrote: > > Now my question is: does apache/php support chrooting too? > > And are there some other services, which can be chrooted > > like bind? > > should work without any problems, like the most of the other > standard internet services. > try and have a look ;-) This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK. Like most of the other standard internet services. You would have to setup a chroot env (all dependant libraries and stuff) for that. But there's nothing similar to a chroot automatic in apache. BTW, such a thing would probably break all CGIs. -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot? 2006-07-25 11:18 ` Hans-Werner Hilse @ 2006-07-25 17:33 ` Jarry 2006-07-25 19:15 ` Hans-Werner Hilse 0 siblings, 1 reply; 5+ messages in thread From: Jarry @ 2006-07-25 17:33 UTC (permalink / raw To: gentoo-user Hans-Werner Hilse wrote: > This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK. > Like most of the other standard internet services. You would have to > setup a chroot env (all dependant libraries and stuff) for that. But > there's nothing similar to a chroot automatic in apache. BTW, such a > thing would probably break all CGIs. I got this idea reading "Securing & Optimizing Linux 3.0", where apache and php is running in chroot (+ a few more services like ssh, snort, ntp, bind, dhcp, ldap, mod_perl). Unfortunatelly, the book is a little out-of-date, and it is not easy to apply it to gentoo. But I think running apache+php+mod_perl in chroot would be definitelly nice feature... Jarry -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot? 2006-07-25 17:33 ` Jarry @ 2006-07-25 19:15 ` Hans-Werner Hilse 0 siblings, 0 replies; 5+ messages in thread From: Hans-Werner Hilse @ 2006-07-25 19:15 UTC (permalink / raw To: gentoo-user Hi, On Tue, 25 Jul 2006 19:33:29 +0200 Jarry <jarry@gmx.net> wrote: > Hans-Werner Hilse wrote: > > > This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK. > > Like most of the other standard internet services. You would have to > > setup a chroot env (all dependant libraries and stuff) for that. But > > there's nothing similar to a chroot automatic in apache. BTW, such a > > thing would probably break all CGIs. > > I got this idea reading "Securing & Optimizing Linux 3.0", where > apache and php is running in chroot (+ a few more services like > ssh, snort, ntp, bind, dhcp, ldap, mod_perl). > > Unfortunatelly, the book is a little out-of-date, and it is not > easy to apply it to gentoo. But I think running apache+php+mod_perl > in chroot would be definitelly nice feature... Yes, certainly. There is a difference, though, between programs that have chroot-functionality built-in and those you need to setup a chroot jail for. I thought you were asking for the former. In fact, you can setup any application to run chroot'ed. But in order to do this, you need to setup a "jail". That would include needed libraries and configuration and data. Then you can use that as a chroot jail for the application by running it via the chroot executable (man 1 chroot). OTOH, there are programs that chroot themselves. They call chroot() (man 2 chroot) after reading configuration and such restrict their own filesystem namespace to just the needed excerpt with the data files. So if an attacker injects code, it cannot access most parts of the filesystem. For Apache there's always the first option, to setup a jail. There's app-misc/jail to support that task. When finished, you would have to edit apache's init.d script in order to call "chroot /jail/usr/bin/httpd2-prefork" instead of "/usr/bin/httpd2-prefork" (just an example, I didn't check the init.d file). -hwh -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-07-25 19:18 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-07-23 16:16 [gentoo-user] apache/php: chroot? Jarry 2006-07-24 19:42 ` Alex 2006-07-25 11:18 ` Hans-Werner Hilse 2006-07-25 17:33 ` Jarry 2006-07-25 19:15 ` Hans-Werner Hilse
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox