httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: High security
Date Fri, 25 Jan 2008 13:30:41 GMT
On Fri, 25 Jan 2008 11:31:32 +0000
"Ivan Ristic" <ivan.ristic@gmail.com> wrote:

> I don't think this should be a discussion of whether chroot is worth
> using as a security measure. IMHO it should be about allowing Apache
> users to make a choice whether they will use chroot in this way or
> not.

+1.

> For the record, I have regretted including the chroot feature in
> ModSecurity many times over. Not because of the feature itself (which
> -- I still think -- is very useful when the circumstances are right)
> but because of the support I was required to provide on the mailing
> list over the  years. To troubleshoot chroot issues requires a very
> good understanding of how things work and takes a lot of time. Subtle
> problems may arise with modules that are not expecting to be cut-off
> from the filesystem half-way through, or with modules that fork at
> startup.

Thanks for the insight!

Chroot problems are indeed a support issue (though still a fairly
infrequent one) in apache's own support fora.  I guess you've relieved
us of some part (maybe most) of that burden.

>   With this in mind, I have always felt the reluctance of the
> Apache developers to include support for chroot has more to do with
> these support issues rather than with any technical reasons.

Still more likely: lack of round tuits.  Builtin support could still
happen.  In fact I recently committed a patch to /trunk/.

>  A
> compromise might be to create a chroot hook and allow module
> developers to use it. This would shift the support burden somewhat
> from the core Apache team to those willing to engage the users
> providing support.

Isn't that basically the status quo (mod_security presumably hooks it
in at post_config?)

> Personally, I don't really have a need for the internal chroot feature
> ever since I discovered the makejail utility (part of Debian, and
> maybe other systems), which worked really well for me. On the other
> hand, I am interested in getting Apache to drop certain capabilities
> (where supported) at startup. I plan to look into it eventually.

Can we expect your contributions to the apache core code in the
not-too-distant?

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message