httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John" <isofr...@cc.uoi.gr>
Subject Re: [users@httpd] Problem Starting Apache Chrooted
Date Fri, 04 Mar 2005 09:10:33 GMT
Well, fortunately the invader will not acess the system unless he breaks the
chroot() function of the kernel.



----- Original Message ----- 
From: "Ivan Barrera A." <Bruce@Ivn.cl>
To: <users@httpd.apache.org>
Sent: Thursday, March 03, 2005 2:31 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted


> > I suppose you mean the actuall chroot and not mod_chroot or mod_security
> > (???)
> >
> >
> > Let me ask you something.
> > If an apache version is vulnerable, anbd someone using a script or
something
> > manage to install a backdoor on the server (let say /tmp, that means
> > /chroot/tmp)
> > Could he install it and then open the port?
>
> They could.
> But, if they log in (suppose a login backdoor) they'll see the chrooted
env.
> You must take more security measures to avoid that. I prefer having tmp
> mounted as noexec. Obviously, that doesnt work if someone uploads a perl
> script and then execute perl to launch it.. but every measure counts.
>
>
> >
> > Give me some more advantages on actuall chroot.
> >
> >
> > Thanks in advance.
> >
> >
> > ----- Original Message ----- 
> > From: "Farid Izem" <farid.izem@gmail.com>
> > To: <users@httpd.apache.org>
> > Sent: Wednesday, March 02, 2005 7:45 PM
> > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >
> >
> >
> >>Didn't look at the security issues as i trying to understand the
> >>chroot mecanism
> >>Not only for Apache but also for Squid and bind !
> >>
> >>I think this module can increase the security in the near future !
> >>
> >>Kind Regards,
> >>
> >>Farid.
> >>
> >>
> >>On Wed, 2 Mar 2005 15:21:22 +0200, John <isofroni@cc.uoi.gr> wrote:
> >>
> >>>Ok, but if you look in the bugs history then you will find that
> >
> > mod_security
> >
> >>>has been suffering
> >>>from various security problems.
> >>>
> >>>I have heard that it is a good module for chroot and other security
> >>>hardening.
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "Farid Izem" <farid.izem@gmail.com>
> >>>To: <users@httpd.apache.org>
> >>>Sent: Wednesday, March 02, 2005 10:33 AM
> >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >>>
> >>>
> >>>>Yes, i said Mod_security not mod_chroot :
> >>>>Take a look at :
> >>>>
> >>>
> >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html
> >>>
> >>>>Best Regards,
> >>>>
> >>>>Farid.
> >>>>
> >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <isofroni@cc.uoi.gr> wrote:
> >>>>
> >>>>>----- Original Message -----
> >>>>>From: "Farid Izem" <farid.izem@gmail.com>
> >>>>>To: <users@httpd.apache.org>
> >>>>>Sent: Tuesday, March 01, 2005 7:39 PM
> >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >>>>>
> >>>>>
> >>>>>>Not yet thinking on !
> >>>>>>I compiled my apache from the lastest source before chrooting
it.
> >>>>>>Maybe using a shell script using ldd command may be the first
way
> >
> > to
> >
> >>>look
> >>>
> >>>>>at.
> >>>>>
> >>>>>>Using rpm httpd file and mod_security is the easiest solution
to
> >>>
> >>>upgrade
> >>>
> >>>>>>Because mod_security provide a simple solution to chroot easily
> >>>
> >>>apache.
> >>>
> >>>>>>There are some limits to this mecanism but maybe i could be
> >
> > enought
> >
> >>>for
> >>>
> >>>>>you.
> >>>>>
> >>>>>>Any ideas on are welcome !
> >>>>>>
> >>>>>>Kind Regards,
> >>>>>>
> >>>>>>Farid
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>mod_security or mod_chroot ?
> >>>>>mod_chroot is mote focused on chrooting apache's process i think.
> >>>>>
> >>>>>What are the limitions you mentioned on this mechanism?
> >>>>>
> >>>>
> >>---------------------------------------------------------------------
> >>
> >>>>>The official User-To-User support forum of the Apache HTTP Server
> >>>
> >>>Project.
> >>>
> >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>>>>For additional commands, e-mail: users-help@httpd.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>>---------------------------------------------------------------------
> >>>>The official User-To-User support forum of the Apache HTTP Server
> >
> > Project.
> >
> >>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>>>For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>---------------------------------------------------------------------
> >>>The official User-To-User support forum of the Apache HTTP Server
> >
> > Project.
> >
> >>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>>For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server
Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message