httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Eduardo Maiolino <cyberson...@gmail.com>
Subject Re: [users@httpd] chrooted V non-chrooted
Date Tue, 16 Jun 2009 15:02:59 GMT
Hi Igor.

chroot, like Fred said, add another security layer in your environment,
protecting the OS from the Web Server. I mean, if web server have be
compromised, the person will have access just to the web server.

chroot is a good option to secure your webserver, but maybe it's not easily
to build.

An another option to add a good security layer, protecting the OS from the
web server, is using SELinux.

With SELinux is possible to protect the OS from the web server in a way
similar like chroot.

Bye.


On Tue, Jun 16, 2009 at 4:11 AM, Igor Cicimov <icicimov@gmail.com> wrote:

> Running apache in chroot adds another layer of security. You can chroot the
> apache server and copy over all the libraries you need and only the programs
> you need like /bin/sh lets say to start/stop the server. In that way any
> security issue or intruder will end up in "jail" and have limited programs
> to run. Also what ever damage he/she might cause will be in the chroot
> enviroment, which you can esally recover, and not in your real root.
>
> We run all our company production servers in chroot.
>
> Cheers,
>
> Igor
>
>
> On Mon, Jun 15, 2009 at 6:40 PM, Fred Zinsli <fred.zinsli@shooter.co.nz>wrote:
>
>> Hello everyone
>>
>> I can't seem to get my head around this chrooted and non-chrooted apache
>> server thing at all.
>>
>> What are the pros & cons, advantages or dissadvantages of chrooted over
>> non-chrooted apache servers.
>>
>> In a nutshell, is a preferable to run apache chrooted on a production
>> server or not?
>>
>> Curently my public server is not chrooted but I am planning a major
>> upgrade and I thought this would be a good opertunity to change my apache
>> configuration at the same time if it was warranted.
>>
>> The server is currently configured for name based virtual hosts.
>>
>> Any comments would be most appreciated.
>>
>> Regards
>>
>> Fred
>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>


-- 
Best Regards

Carlos Eduardo Maiolino - CyberS0nic
Fedora Project - Brazilian Ambassador / Bug Tracker
http://www.fedoraproject.org
http://www.projetofedora.org

-------------------------

Contacts

IRC: CyberS0nic AT irc.freenode.net
ICQ: 142852055
msn: cybersonic0@gmail.com
gtalk: cybersonic0

Mime
View raw message