www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurent LEVIER <llev...@argosnet.com>
Subject config/6285: chroot httpd
Date Sat, 08 Jul 2000 19:53:53 GMT

>Number:         6285
>Category:       config
>Synopsis:       chroot httpd
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Jul 08 13:00:01 PDT 2000
>Originator:     llevier@argosnet.com
>Release:        1.3.12
Hi ! Before reading below text, know I just wish here to suggest a security enhancement. I
have been forwarded finally to this form for this action.
There is no bug !

chrooting Apache is very difficult, while the process needs some libraries, host may have
different simultaneous configurations, or webhoster may wish to allow a chrooted tree for
webmasters (ssh/telnet session in the documentroot tree).

When you chroot httpd process before launching it, a complete environment must be created
for httpd, AND the user. Because of this, a httpd is necessary per webmaster, or a very complex
situation involving links must be setup to simulate differents httpd.

But, if httpd when forking to user/group owner decides itself to chroot, all its libraries
will be already loaded, and then it will need no extra data to work fine, until it is able
to access the logs directory/files.

This is the suggestion. What do you think about a such feature ?



 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message