Re: [users@httpd] Problem Starting Apache Chrooted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I suppose you mean the actuall chroot and not mod_chroot or mod_security
(???)


Let me ask you something.
If an apache version is vulnerable, anbd someone using a script or something
manage to install a backdoor on the server (let say /tmp, that means
/chroot/tmp)
Could he install it and then open the port?


They could.
But, if they log in (suppose a login backdoor) they'll see the chrooted env.
You must take more security measures to avoid that. I prefer having tmp mounted as noexec. Obviously, that doesnt work if someone uploads a perl script and then execute perl to launch it.. but every measure counts. 




Give me some more advantages on actuall chroot.


Thanks in advance.
----- Original Message ----- From: "Farid Izem" <farid.izem@xxxxxxxxx> 
To: <users@xxxxxxxxxxxxxxxx>
Sent: Wednesday, March 02, 2005 7:45 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted




Didn't look at the security issues as i trying to understand the
chroot mecanism
Not only for Apache but also for Squid and bind !

I think this module can increase the security in the near future !

Kind Regards,

Farid.


On Wed, 2 Mar 2005 15:21:22 +0200, John <isofroni@xxxxxxxxx> wrote:


Ok, but if you look in the bugs history then you will find that


mod_security


has been suffering
from various security problems.

I have heard that it is a good module for chroot and other security
hardening.


----- Original Message -----
From: "Farid Izem" <farid.izem@xxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Wednesday, March 02, 2005 10:33 AM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted



Yes, i said Mod_security not mod_chroot :
Take a look at :



http://www.modsecurity.org/documentation/apache-internal-chroot.html


Best Regards,

Farid.

On Tue, 1 Mar 2005 20:53:39 +0200, John <isofroni@xxxxxxxxx> wrote:


----- Original Message -----
From: "Farid Izem" <farid.izem@xxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Tuesday, March 01, 2005 7:39 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted



Not yet thinking on !
I compiled my apache from the lastest source before chrooting it.
Maybe using a shell script using ldd command may be the first way


to


look


at.


Using rpm httpd file and mod_security is the easiest solution to


upgrade


Because mod_security provide a simple solution to chroot easily


apache.


There are some limits to this mecanism but maybe i could be


enought


for


you.


Any ideas on are welcome !

Kind Regards,

Farid




mod_security or mod_chroot ?
mod_chroot is mote focused on chrooting apache's process i think.

What are the limitions you mentioned on this mechanism?




---------------------------------------------------------------------


The official User-To-User support forum of the Apache HTTP Server


Project.


See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server


Project.


See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server


Project.


See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux