mod_chroot 0.5 review
DownloadYou don't need to create a special directory hierarchy containing /dev, /lib, /etc... Why chroot? For security. chroot(2) ch
|
|
You don't need to create a special directory hierarchy containing /dev, /lib, /etc...
Why chroot?
For security.
chroot(2) changes the root directory of a process to a directory other than "/". It means the process is locked inside a virtual filesystem root. If you configure your chroot jail properly, Apache and its child processes (think CGI scripts) won't be able to access anything except the jail.
A non-root process is not able to leave a chroot jail. Still it's not wise to put device files, suid binaries or hardlinks inside the jail.
chroot - the hard way
There are many documents about running programs inside a chroot jail. Some daemons (tinydns, dnscache, vsftpd) support it out of the box. For others (like Apache) you need to carefully build a "virtual root", containing every file the program may need. This usually includes:
C library
various other libraries (libssl? libm? libmysqlclient?)
resolver configuration files (/etc/nsswitch.conf, /etc/resolv.conf)
user files (/etc/passwd, /etc/group)
separate directory for log files
additional modules needed by the program (for Apache: mod_php and other modules)
Creating this structure is great fun. Run the program, read the error message, copy the missing file, start over. Now think about upgrading - you have to keep your "virtual root" current - if there is a bug in libssl, you need to put a new version in two places. Scared enough? Read on.
Requirements:
Apache 1.3, 2.x
mod_chroot 0.5 search tags