httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] Problem Starting Apache Chrooted
Date Thu, 03 Mar 2005 12:31:27 GMT
> I suppose you mean the actuall chroot and not mod_chroot or mod_security
> (???)
> 
> 
> Let me ask you something.
> If an apache version is vulnerable, anbd someone using a script or something
> manage to install a backdoor on the server (let say /tmp, that means
> /chroot/tmp)
> Could he install it and then open the port?

They could.
But, if they log in (suppose a login backdoor) they'll see the chrooted env.
You must take more security measures to avoid that. I prefer having tmp 
mounted as noexec. Obviously, that doesnt work if someone uploads a perl 
script and then execute perl to launch it.. but every measure counts.


> 
> Give me some more advantages on actuall chroot.
> 
> 
> Thanks in advance.
> 
> 
> ----- Original Message ----- 
> From: "Farid Izem" <farid.izem@gmail.com>
> To: <users@httpd.apache.org>
> Sent: Wednesday, March 02, 2005 7:45 PM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> 
> 
> 
>>Didn't look at the security issues as i trying to understand the
>>chroot mecanism
>>Not only for Apache but also for Squid and bind !
>>
>>I think this module can increase the security in the near future !
>>
>>Kind Regards,
>>
>>Farid.
>>
>>
>>On Wed, 2 Mar 2005 15:21:22 +0200, John <isofroni@cc.uoi.gr> wrote:
>>
>>>Ok, but if you look in the bugs history then you will find that
> 
> mod_security
> 
>>>has been suffering
>>>from various security problems.
>>>
>>>I have heard that it is a good module for chroot and other security
>>>hardening.
>>>
>>>
>>>----- Original Message -----
>>>From: "Farid Izem" <farid.izem@gmail.com>
>>>To: <users@httpd.apache.org>
>>>Sent: Wednesday, March 02, 2005 10:33 AM
>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>>>
>>>
>>>>Yes, i said Mod_security not mod_chroot :
>>>>Take a look at :
>>>>
>>>
>>>http://www.modsecurity.org/documentation/apache-internal-chroot.html
>>>
>>>>Best Regards,
>>>>
>>>>Farid.
>>>>
>>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <isofroni@cc.uoi.gr> wrote:
>>>>
>>>>>----- Original Message -----
>>>>>From: "Farid Izem" <farid.izem@gmail.com>
>>>>>To: <users@httpd.apache.org>
>>>>>Sent: Tuesday, March 01, 2005 7:39 PM
>>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>>>>>
>>>>>
>>>>>>Not yet thinking on !
>>>>>>I compiled my apache from the lastest source before chrooting it.
>>>>>>Maybe using a shell script using ldd command may be the first way
> 
> to
> 
>>>look
>>>
>>>>>at.
>>>>>
>>>>>>Using rpm httpd file and mod_security is the easiest solution to
>>>
>>>upgrade
>>>
>>>>>>Because mod_security provide a simple solution to chroot easily
>>>
>>>apache.
>>>
>>>>>>There are some limits to this mecanism but maybe i could be
> 
> enought
> 
>>>for
>>>
>>>>>you.
>>>>>
>>>>>>Any ideas on are welcome !
>>>>>>
>>>>>>Kind Regards,
>>>>>>
>>>>>>Farid
>>>>>>
>>>>>>
>>>>>
>>>>>mod_security or mod_chroot ?
>>>>>mod_chroot is mote focused on chrooting apache's process i think.
>>>>>
>>>>>What are the limitions you mentioned on this mechanism?
>>>>>
>>>>
>>---------------------------------------------------------------------
>>
>>>>>The official User-To-User support forum of the Apache HTTP Server
>>>
>>>Project.
>>>
>>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>The official User-To-User support forum of the Apache HTTP Server
> 
> Project.
> 
>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
> 
> Project.
> 
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message