From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G5SQW-0002EA-4D for garchives@archives.gentoo.org; Tue, 25 Jul 2006 19:18:44 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6PJDLCV003843; Tue, 25 Jul 2006 19:13:21 GMT Received: from gabriel.sub.uni-goettingen.de (gabriel.sub.uni-goettingen.de [134.76.163.126]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6PJ916E004134 for ; Tue, 25 Jul 2006 19:09:01 GMT Received: by gabriel.sub.uni-goettingen.de (Postfix, from userid 8) id D25AECD31E; Tue, 25 Jul 2006 21:09:00 +0200 (CEST) Received: from butch (dslc-082-082-179-115.pools.arcor-ip.net [82.82.179.115]) by gabriel.sub.uni-goettingen.de (Postfix) with ESMTP id 2D8DFCD31B for ; Tue, 25 Jul 2006 21:08:59 +0200 (CEST) Date: Tue, 25 Jul 2006 21:15:07 +0200 From: Hans-Werner Hilse To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] apache/php: chroot? Message-Id: <20060725211507.48ae5e3a.hilse@web.de> In-Reply-To: <44C655E9.4010408@gmx.net> References: <44C3A0D7.4020609@gmx.net> <20060724194246.GA4539@zengers.de> <20060725131833.a0b0445f.hilse@web.de> <44C655E9.4010408@gmx.net> X-Mailer: Sylpheed version 2.2.5 (GTK+ 2.8.19; i586-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Details: No, hits=1.9 required=5.0 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on gabriel.sub.uni-goettingen.de X-Archives-Salt: 366742ac-7e93-43b7-99c8-106ff5bb3f4c X-Archives-Hash: a6c53dbac97879691bba3d2b85ad4faa Hi, On Tue, 25 Jul 2006 19:33:29 +0200 Jarry wrote: > Hans-Werner Hilse wrote: > > > This won't work. Apache doesn't have inbuilt chroot facilities, AFAIK. > > Like most of the other standard internet services. You would have to > > setup a chroot env (all dependant libraries and stuff) for that. But > > there's nothing similar to a chroot automatic in apache. BTW, such a > > thing would probably break all CGIs. > > I got this idea reading "Securing & Optimizing Linux 3.0", where > apache and php is running in chroot (+ a few more services like > ssh, snort, ntp, bind, dhcp, ldap, mod_perl). > > Unfortunatelly, the book is a little out-of-date, and it is not > easy to apply it to gentoo. But I think running apache+php+mod_perl > in chroot would be definitelly nice feature... Yes, certainly. There is a difference, though, between programs that have chroot-functionality built-in and those you need to setup a chroot jail for. I thought you were asking for the former. In fact, you can setup any application to run chroot'ed. But in order to do this, you need to setup a "jail". That would include needed libraries and configuration and data. Then you can use that as a chroot jail for the application by running it via the chroot executable (man 1 chroot). OTOH, there are programs that chroot themselves. They call chroot() (man 2 chroot) after reading configuration and such restrict their own filesystem namespace to just the needed excerpt with the data files. So if an attacker injects code, it cannot access most parts of the filesystem. For Apache there's always the first option, to setup a jail. There's app-misc/jail to support that task. When finished, you would have to edit apache's init.d script in order to call "chroot /jail/usr/bin/httpd2-prefork" instead of "/usr/bin/httpd2-prefork" (just an example, I didn't check the init.d file). -hwh -- gentoo-user@gentoo.org mailing list