Well, fortunately the invader will not acess the system unless he breaks the chroot() function of the kernel. ----- Original Message ----- From: "Ivan Barrera A." <Bruce@xxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Thursday, March 03, 2005 2:31 PM Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > I suppose you mean the actuall chroot and not mod_chroot or mod_security > > (???) > > > > > > Let me ask you something. > > If an apache version is vulnerable, anbd someone using a script or something > > manage to install a backdoor on the server (let say /tmp, that means > > /chroot/tmp) > > Could he install it and then open the port? > > They could. > But, if they log in (suppose a login backdoor) they'll see the chrooted env. > You must take more security measures to avoid that. I prefer having tmp > mounted as noexec. Obviously, that doesnt work if someone uploads a perl > script and then execute perl to launch it.. but every measure counts. > > > > > > Give me some more advantages on actuall chroot. > > > > > > Thanks in advance. > > > > > > ----- Original Message ----- > > From: "Farid Izem" <farid.izem@xxxxxxxxx> > > To: <users@xxxxxxxxxxxxxxxx> > > Sent: Wednesday, March 02, 2005 7:45 PM > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > > > > > > >>Didn't look at the security issues as i trying to understand the > >>chroot mecanism > >>Not only for Apache but also for Squid and bind ! > >> > >>I think this module can increase the security in the near future ! > >> > >>Kind Regards, > >> > >>Farid. > >> > >> > >>On Wed, 2 Mar 2005 15:21:22 +0200, John <isofroni@xxxxxxxxx> wrote: > >> > >>>Ok, but if you look in the bugs history then you will find that > > > > mod_security > > > >>>has been suffering > >>>from various security problems. > >>> > >>>I have heard that it is a good module for chroot and other security > >>>hardening. > >>> > >>> > >>>----- Original Message ----- > >>>From: "Farid Izem" <farid.izem@xxxxxxxxx> > >>>To: <users@xxxxxxxxxxxxxxxx> > >>>Sent: Wednesday, March 02, 2005 10:33 AM > >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted > >>> > >>> > >>>>Yes, i said Mod_security not mod_chroot : > >>>>Take a look at : > >>>> > >>> > >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html > >>> > >>>>Best Regards, > >>>> > >>>>Farid. > >>>> > >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <isofroni@xxxxxxxxx> wrote: > >>>> > >>>>>----- Original Message ----- > >>>>>From: "Farid Izem" <farid.izem@xxxxxxxxx> > >>>>>To: <users@xxxxxxxxxxxxxxxx> > >>>>>Sent: Tuesday, March 01, 2005 7:39 PM > >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted > >>>>> > >>>>> > >>>>>>Not yet thinking on ! > >>>>>>I compiled my apache from the lastest source before chrooting it. > >>>>>>Maybe using a shell script using ldd command may be the first way > > > > to > > > >>>look > >>> > >>>>>at. > >>>>> > >>>>>>Using rpm httpd file and mod_security is the easiest solution to > >>> > >>>upgrade > >>> > >>>>>>Because mod_security provide a simple solution to chroot easily > >>> > >>>apache. > >>> > >>>>>>There are some limits to this mecanism but maybe i could be > > > > enought > > > >>>for > >>> > >>>>>you. > >>>>> > >>>>>>Any ideas on are welcome ! > >>>>>> > >>>>>>Kind Regards, > >>>>>> > >>>>>>Farid > >>>>>> > >>>>>> > >>>>> > >>>>>mod_security or mod_chroot ? > >>>>>mod_chroot is mote focused on chrooting apache's process i think. > >>>>> > >>>>>What are the limitions you mentioned on this mechanism? > >>>>> > >>>> > >>--------------------------------------------------------------------- > >> > >>>>>The official User-To-User support forum of the Apache HTTP Server > >>> > >>>Project. > >>> > >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info. > >>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > >>>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > >>>>> > >>>>> > >>>> > >>>>--------------------------------------------------------------------- > >>>>The official User-To-User support forum of the Apache HTTP Server > > > > Project. > > > >>>>See <URL:http://httpd.apache.org/userslist.html> for more info. > >>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > >>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > >>> > >>>--------------------------------------------------------------------- > >>>The official User-To-User support forum of the Apache HTTP Server > > > > Project. > > > >>>See <URL:http://httpd.apache.org/userslist.html> for more info. > >>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > >>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > >>> > >>> > >> > >>--------------------------------------------------------------------- > >>The official User-To-User support forum of the Apache HTTP Server Project. > >>See <URL:http://httpd.apache.org/userslist.html> for more info. > >>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > >> > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|