httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: High security
Date Tue, 06 May 2008 15:00:20 GMT

On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
> If there's a chance to add it, I'm ready to write the doc patch


I did below a while ago. May be useful as a start.

Dw

Index: mpm_common.xml
===================================================================
--- mpm_common.xml	(revision 653793)
+++ mpm_common.xml	(working copy)
@@ -1039,14 +1039,26 @@
  <module>prefork</module><module>worker</module></modulelist>

  <usage>
-    <p>This directive, available in httpd 2.2.9(?) and later, tells the
+    <p>This directive, available in httpd 2.2.9(?) and later on unix,  
tells the
      server to <var>chroot(8)</var> to the specified directory after
-    startup, but before accepting requests over the 'net.</p>
-    <p>Note that running the server under chroot is not simple,
-    and requires additional setup, particularly if you are running
-    scripts such as CGI or PHP.  Please make sure you are properly
-    familiar with the operation of chroot before attempting to use
-    this feature.</p>
+    startup and logfile-opening, but before accepting requests over  
the 'net.</p>
+    <note type="warning"><title>Security</title>
+      <p>Note that running the server under chroot is not simple,
+      and requires additional setup, particularly if you are running
+      scripts such as CGI or PHP.  Please make sure you are properly
+      familiar with the operation of chroot before attempting to use
+      this feature.</p>
+    </note>
+    <p>In conjunction the <directive module="mod_so">LoadFile</ 
directive>
+    directive which can be used to load dependencies (for example a  
library such as
+    <code>libgcc_s.so.1</code>) prior to the chroot - thus allowing
+    a nearly empty chroot environment. See the <page href="howto/ 
chroot.html">
+    howto on chroot</page> for more information.
+ for an example.
+    <note><title>Note</title>
+      <p>This directive is only available on unix platforms which
+      support chroot(2).</p>
+    </note>
  </usage>
  </directivesynopsis>


Mime
View raw message