httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Ristic" <ivan.ris...@gmail.com>
Subject Re: High security
Date Mon, 28 Jan 2008 09:40:19 GMT
On Jan 25, 2008 1:30 PM, Nick Kew <nick@webthing.com> wrote:
>
> ...
>
> >  A
> > compromise might be to create a chroot hook and allow module
> > developers to use it. This would shift the support burden somewhat
> > from the core Apache team to those willing to engage the users
> > providing support.
>
> Isn't that basically the status quo (mod_security presumably hooks it
> in at post_config?)

In ModSecurity I had to use one of the available hooks to execute the
chroot call. As Torsten mentions, that might be a much better place to
do it.


> > Personally, I don't really have a need for the internal chroot feature
> > ever since I discovered the makejail utility (part of Debian, and
> > maybe other systems), which worked really well for me. On the other
> > hand, I am interested in getting Apache to drop certain capabilities
> > (where supported) at startup. I plan to look into it eventually.
>
> Can we expect your contributions to the apache core code in the
> not-too-distant?

Possibly...  Maybe I should aim to start with something simpler; for
example, by proposing the suexec chroot patch I have lying around
somewhere.


> --
> Nick Kew
>
> Application Development with Apache - the Apache Modules Book
> http://www.apachetutor.org/
>

-- 
Ivan Ristic

Mime
View raw message