Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 2376 invoked from network); 6 May 2008 14:13:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 May 2008 14:13:27 -0000 Received: (qmail 98478 invoked by uid 500); 6 May 2008 14:13:25 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 98418 invoked by uid 500); 6 May 2008 14:13:25 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 98407 invoked by uid 99); 6 May 2008 14:13:25 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 May 2008 07:13:25 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of nickgearls@gmail.com designates 66.249.92.170 as permitted sender) Received: from [66.249.92.170] (HELO ug-out-1314.google.com) (66.249.92.170) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 May 2008 14:12:39 +0000 Received: by ug-out-1314.google.com with SMTP id a2so452756ugf.27 for ; Tue, 06 May 2008 07:12:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=fmVaG6WqRXJlrsnmdgLigSwV8aLa4qDa0lYSrRetom4=; b=svxmNSST7KO+SiYfrJDUhUT3KLe8v3Ya+9yfPhyhPFywD/jgc7l5qBHowfwpVzAHkEanZh4H9yLB4CsmIxNeD7tkhKUVxDZQBmC8+YT5VpRCea8TDVOLodlvHXkrK08i7m48P/UeADpy2/xRZZci+wk/YukyIQensJ2gPOIY+zI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=pynO+tdjv33G7aBp5y3+Xdh3DFE05mhPjt2Cbt7N0KLDg9e7tIdIEQPgu8LCkVR9kkyLRwQjrJ3wgo5hAFpC3EWwPn/EXijDz2APfA8ScK7Rdystoh5QWEAjZz7TCeugLttu002JL3N2YJt2VITJzeWPFYi4bhc1y46m/xUnirs= Received: by 10.67.115.13 with SMTP id s13mr6086025ugm.41.1210083172540; Tue, 06 May 2008 07:12:52 -0700 (PDT) Received: from ?127.0.0.1? ( [217.64.248.146]) by mx.google.com with ESMTPS id q40sm1134526ugc.6.2008.05.06.07.12.50 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 06 May 2008 07:12:51 -0700 (PDT) Message-ID: <48206761.3060904@gmail.com> Date: Tue, 06 May 2008 16:12:49 +0200 From: Nick Gearls User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: High security References: <4798802F.4070308@gmail.com> <20080124121627.GA23588@infiltrator.gizzard.com> <99EA83DCDE961346AFA9B5EC33FEC08B464143@VF-MBX11.internal.vodafone.com> <4798B4FB.8000208@gmail.com> <4798F60D.60001@apache.org> <479F420B.7020705@gmail.com> <48205CAD.6080600@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org If there's a chance to add it, I'm ready to write the doc patch Nick Dirk-Willem van Gulik wrote: > > On May 6, 2008, at 3:27 PM, Nick Gearls wrote: > >> Just a little adding: by adding "LoadFile libgcc_s.so.1" in >> httpd.conf, I don't have any more file in the chroot (except "htdocs" >> if not in pure proxy mode). > > Is there a patch for the docs as well ? Including above trick ? > >> >> >> Nick Gearls wrote: >>> I'm running the patch for one week on a production server, and it >>> works perfectly (http://svn.apache.org/viewvc?view=rev&revision=611483). >>> When using Apache as a reverse proxy, the chroot environment is >>> totally empty (except libgcc_s.so.1). >>> Could we include this in next build ? >>> As it is very limited (basically 3 basic function calls plus the >>> logging), it is trivial to review. >>> +1 >>> Regards, >>> Nick >>> [... discussion about chroot effectiveness and letting the final >>> choice to the user to use it or not ...] > >