httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Gearls <nickgea...@gmail.com>
Subject Re: High security
Date Wed, 07 May 2008 09:00:14 GMT
I propose to add the following:

In the usage:
All config files, logs, etc. are used by the main process and should 
thus not be stored in the chroot. Only files used by children listeners 
must be present in the chroot.

     <note><title>Content of the chroot</title>
       <p>The following files must be present in the chroot:</p>
       <ul><li>/lib/libgcc_s.so.1 (Linux)</li>
           <li>if bind (DNS) is used: /etc/resolv.conf &amp; 
/lib/libnss_dns.so.2 (Linux)</li>
           <li>if a hosts file is used: /etc/hosts</li>
           <li>if both a hosts file and bind (DNS) are used: 
/etc/hosts.conf</li>
           <li>HTML files (htdocs/ files)</li>
           <li>Temporary files used by modules (ex: ModSecurity temp 
files)</li>
           <li>When using additional modules, other files may be needed</li>
       </ul>
       <p><b>Remark:</b> shared object can also be loaded explicitely
	  in httpd.conf, instead of copying them into the chroot.
	  When using Apache as a reverse proxy, the chroot could thus potentially
	  be totally empty.</p>
     </note>

Regards,

Nick


Dirk-Willem van Gulik wrote:
> 
> On May 6, 2008, at 5:03 PM, Plüm, Rüdiger, VF-Group wrote:
>>
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Dirk-Willem van Gulik
>>> Gesendet: Dienstag, 6. Mai 2008 17:00
>>> An: dev@httpd.apache.org
>>> Betreff: Re: High security
>>>
>>>
>>> On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
>>>> If there's a chance to add it, I'm ready to write the doc patch
>>>
>>>
>>> I did below a while ago. May be useful as a start.
>>
>> There is already a documentation in trunk for this:
>>
>> http://svn.apache.org/viewvc?view=rev&revision=639005
> 
> 
> Aye - I edited on top of that version.
> 
> Dw.

Mime
View raw message