Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] chrooted apache
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Tue, 09 Nov 2004 17:08:00 +0100
  • Message-id: <4190EB60.8070500@xxxxxxxxxx>
John schrieb:

I think that every time YOU updates Apache 2, you have to cop all the apache
related files to the chroot area except configuation ones.

Am i right?

Yes! Configfiles are loaded while the daemon get's started (as you can see on chrooted postfix under SuSE).
You have to find out the process-tree and which files depend on the execution of the desired daemon.

This will not be the former problem, because with postfix this is done by a chroot-script.
I got a chrooted apache script (from Togan Muftuoglu) which I tested (with the above script implemented in the runlevel-script) and gave back remarks for changes.

At every restart your script should check if there are changes from chroot to installed version and copy the differences to the chroot-jail.

The problem was finding out which files belong in chroot and this files change from verion to version especially if you install every plugin for apache (1 or 2).
This will always be a question how much work you will put in there.
The next question is what you want to implement in chroot (as I saw /proc access is needed by e.g. phpsysinfo and over /proc you can access a lot which you normally wouldn't want to be accessible) and which features you want to forbit.

For syslog you have to implement a socket to get logs to syslog otherwise they will not get to syslog.
With mysql I had the problem not getting the socket for it (even on the same machine with or without chroot is a difference).

----- Original Message ----- From: "Keith Wilkinson" <nzkiwi@xxxxxxxxxxxxxxxxx>
To: "John" <isofroni@xxxxxxxxx>
Sent: Tuesday, November 09, 2004 11:02 AM
Subject: Re: [suse-security] chrooted apache

I posted this URL on this list back in June.

I also asked about updating with YOU.
You can find some answers in the list archives.

There are some answers in the archives. A good hint will be using google (*) for more infos. Notice: Some articles are written for unix or different distributions than SuSE!



< Previous Next >