httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Eduardo Maiolino <>
Subject Re: [users@httpd] chrooted V non-chrooted
Date Tue, 16 Jun 2009 15:02:59 GMT
Hi Igor.

chroot, like Fred said, add another security layer in your environment,
protecting the OS from the Web Server. I mean, if web server have be
compromised, the person will have access just to the web server.

chroot is a good option to secure your webserver, but maybe it's not easily
to build.

An another option to add a good security layer, protecting the OS from the
web server, is using SELinux.

With SELinux is possible to protect the OS from the web server in a way
similar like chroot.


On Tue, Jun 16, 2009 at 4:11 AM, Igor Cicimov <> wrote:

> Running apache in chroot adds another layer of security. You can chroot the
> apache server and copy over all the libraries you need and only the programs
> you need like /bin/sh lets say to start/stop the server. In that way any
> security issue or intruder will end up in "jail" and have limited programs
> to run. Also what ever damage he/she might cause will be in the chroot
> enviroment, which you can esally recover, and not in your real root.
> We run all our company production servers in chroot.
> Cheers,
> Igor
> On Mon, Jun 15, 2009 at 6:40 PM, Fred Zinsli <>wrote:
>> Hello everyone
>> I can't seem to get my head around this chrooted and non-chrooted apache
>> server thing at all.
>> What are the pros & cons, advantages or dissadvantages of chrooted over
>> non-chrooted apache servers.
>> In a nutshell, is a preferable to run apache chrooted on a production
>> server or not?
>> Curently my public server is not chrooted but I am planning a major
>> upgrade and I thought this would be a good opertunity to change my apache
>> configuration at the same time if it was warranted.
>> The server is currently configured for name based virtual hosts.
>> Any comments would be most appreciated.
>> Regards
>> Fred
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:> for more info.
>> To unsubscribe, e-mail:
>>   "   from the digest:
>> For additional commands, e-mail:

Best Regards

Carlos Eduardo Maiolino - CyberS0nic
Fedora Project - Brazilian Ambassador / Bug Tracker



IRC: CyberS0nic AT
ICQ: 142852055
gtalk: cybersonic0

View raw message