* [gentoo-user] apache/php: chroot?
@ 2006-07-23 16:16 Jarry
2006-07-24 19:42 ` Alex
0 siblings, 1 reply; 5+ messages in thread
From: Jarry @ 2006-07-23 16:16 UTC (permalink / raw
To: gentoo-user
Hi,
Recently I installed bind, which supports chrooting
"right of the box". Very nice feature, I was positively
surprised...
Now my question is: does apache/php support chrooting too?
And are there some other services, which can be chrooted
like bind?
Jarry
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot?
2006-07-23 16:16 [gentoo-user] apache/php: chroot? Jarry
@ 2006-07-24 19:42 ` Alex
2006-07-25 11:18 ` Hans-Werner Hilse
0 siblings, 1 reply; 5+ messages in thread
From: Alex @ 2006-07-24 19:42 UTC (permalink / raw
To: gentoo-user
Hi,
On Sun, Jul 23, 2006 at 06:16:23PM +0200, Jarry wrote:
> Hi,
>
> Recently I installed bind, which supports chrooting
> "right of the box". Very nice feature, I was positively
> surprised...
>
> Now my question is: does apache/php support chrooting too?
> And are there some other services, which can be chrooted
> like bind?
should work without any problems, like the most of the other
standard internet services.
try and have a look ;-)
greetz
alex
--
* IMPORTANT: 217 config files in /etc need updating
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot?
2006-07-24 19:42 ` Alex
@ 2006-07-25 11:18 ` Hans-Werner Hilse
2006-07-25 17:33 ` Jarry
0 siblings, 1 reply; 5+ messages in thread
From: Hans-Werner Hilse @ 2006-07-25 11:18 UTC (permalink / raw
To: gentoo-user
Hi,
On Mon, 24 Jul 2006 21:42:46 +0200 Alex <alex@zengers.de> wrote:
> > Now my question is: does apache/php support chrooting too?
> > And are there some other services, which can be chrooted
> > like bind?
>
> should work without any problems, like the most of the other
> standard internet services.
> try and have a look ;-)
This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK.
Like most of the other standard internet services. You would have to
setup a chroot env (all dependant libraries and stuff) for that. But
there's nothing similar to a chroot automatic in apache. BTW, such a
thing would probably break all CGIs.
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot?
2006-07-25 11:18 ` Hans-Werner Hilse
@ 2006-07-25 17:33 ` Jarry
2006-07-25 19:15 ` Hans-Werner Hilse
0 siblings, 1 reply; 5+ messages in thread
From: Jarry @ 2006-07-25 17:33 UTC (permalink / raw
To: gentoo-user
Hans-Werner Hilse wrote:
> This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK.
> Like most of the other standard internet services. You would have to
> setup a chroot env (all dependant libraries and stuff) for that. But
> there's nothing similar to a chroot automatic in apache. BTW, such a
> thing would probably break all CGIs.
I got this idea reading "Securing & Optimizing Linux 3.0", where
apache and php is running in chroot (+ a few more services like
ssh, snort, ntp, bind, dhcp, ldap, mod_perl).
Unfortunatelly, the book is a little out-of-date, and it is not
easy to apply it to gentoo. But I think running apache+php+mod_perl
in chroot would be definitelly nice feature...
Jarry
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-user] apache/php: chroot?
2006-07-25 17:33 ` Jarry
@ 2006-07-25 19:15 ` Hans-Werner Hilse
0 siblings, 0 replies; 5+ messages in thread
From: Hans-Werner Hilse @ 2006-07-25 19:15 UTC (permalink / raw
To: gentoo-user
Hi,
On Tue, 25 Jul 2006 19:33:29 +0200
Jarry <jarry@gmx.net> wrote:
> Hans-Werner Hilse wrote:
>
> > This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK.
> > Like most of the other standard internet services. You would have to
> > setup a chroot env (all dependant libraries and stuff) for that. But
> > there's nothing similar to a chroot automatic in apache. BTW, such a
> > thing would probably break all CGIs.
>
> I got this idea reading "Securing & Optimizing Linux 3.0", where
> apache and php is running in chroot (+ a few more services like
> ssh, snort, ntp, bind, dhcp, ldap, mod_perl).
>
> Unfortunatelly, the book is a little out-of-date, and it is not
> easy to apply it to gentoo. But I think running apache+php+mod_perl
> in chroot would be definitelly nice feature...
Yes, certainly. There is a difference, though, between programs that
have chroot-functionality built-in and those you need to setup a chroot
jail for. I thought you were asking for the former. In fact, you can
setup any application to run chroot'ed. But in order to do this, you
need to setup a "jail". That would include needed libraries and
configuration and data. Then you can use that as a chroot jail for the
application by running it via the chroot executable (man 1 chroot).
OTOH, there are programs that chroot themselves. They call chroot()
(man 2 chroot) after reading configuration and such restrict their own
filesystem namespace to just the needed excerpt with the data files. So
if an attacker injects code, it cannot access most parts of the
filesystem.
For Apache there's always the first option, to setup a jail. There's
app-misc/jail to support that task. When finished, you would have to
edit apache's init.d script in order to call
"chroot /jail/usr/bin/httpd2-prefork" instead of
"/usr/bin/httpd2-prefork" (just an example, I didn't check the init.d
file).
-hwh
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-07-25 19:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-23 16:16 [gentoo-user] apache/php: chroot? Jarry
2006-07-24 19:42 ` Alex
2006-07-25 11:18 ` Hans-Werner Hilse
2006-07-25 17:33 ` Jarry
2006-07-25 19:15 ` Hans-Werner Hilse
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox