httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: High security
Date Wed, 07 May 2008 10:42:09 GMT

On May 7, 2008, at 11:00 AM, Nick Gearls wrote:
> I propose to add the following:
> In the usage:
> All config files, logs, etc. are used by the main process and should  
> thus not be stored in the chroot. Only files used by children  
> listeners must be present in the chroot.
>    <note><title>Content of the chroot</title>
>      <p>The following files must be present in the chroot:</p>
>      <ul><li>/lib/ (Linux)</li>
>          <li>if bind (DNS) is used: /etc/resolv.conf &amp; /lib/ 
> (Linux)</li>
>          <li>if a hosts file is used: /etc/hosts</li>
>          <li>if both a hosts file and bind (DNS) are used: /etc/ 
> hosts.conf</li>
>          <li>HTML files (htdocs/ files)</li>
>          <li>Temporary files used by modules (ex: ModSecurity temp  
> files)</li>
>          <li>When using additional modules, other files may be  
> needed</li>
>      </ul>
>      <p><b>Remark:</b> shared object can also be loaded explicitely
> 	  in httpd.conf, instead of copying them into the chroot.
> 	  When using Apache as a reverse proxy, the chroot could thus  
> potentially
> 	  be totally empty.</p>
>    </note>

I was sort of hoping for a separate how-to page; with the exact 'chmod/ 
own' settings, groups
you need to create,  information about the log file locations/ 
ownership, the ownership of the
cache directories and so on.


View raw message