"Fossies" - the Fresh Open Source Software Archive

Member "mod_chroot-0.5/README" (12 Jun 2005, 3795 Bytes) of package /linux/www/apache_httpd_modules/old/mod_chroot-0.5.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1                                    mod_chroot
    3 What is it?
    5    mod_chroot makes running Apache in a secure chroot environment easy. You
    6    don't need to create a special directory hierarchy containing /dev, /lib,
    7    /etc...
    9    mod_chroot is now included in
   11      * FreeBSD
   12      * DarwinPorts
   13      * PLD Linux
   14      * Gentoo Linux
   15      * Debian testing/unstable
   16      * NetBSD
   18    Many thanks to all package maintainers!
   20 Why chroot?
   22    For security.
   24    chroot(2) changes the root directory of a process to a directory other
   25    than "/". It means the process is locked inside a virtual filesystem root.
   26    If you configure your chroot jail properly, Apache and its child processes
   27    (think CGI scripts) won't be able to access anything except the jail.
   29    A non-root process is not able to leave a chroot jail. Still it's not wise
   30    to put device files, suid binaries or hardlinks inside the jail.
   32 chroot - the hard way
   34    There are many documents about running programs inside a chroot jail. Some
   35    daemons (tinydns, dnscache, vsftpd) support it out of the box. For others
   36    (like Apache) you need to carefully build a "virtual root", containing
   37    every file the program may need. This usually includes:
   39      * C library
   40      * various other libraries (libssl? libm? libmysqlclient?)
   41      * resolver configuration files (/etc/nsswitch.conf, /etc/resolv.conf)
   42      * user files (/etc/passwd, /etc/group)
   43      * separate directory for log files
   44      * additional modules needed by the program (for Apache: mod_php and
   45        other modules)
   47    Creating this structure is great fun. Run the program, read the error
   48    message, copy the missing file, start over. Now think about upgrading -
   49    you have to keep your "virtual root" current - if there is a bug in
   50    libssl, you need to put a new version in two places. Scared enough? Read
   51    on.
   53 chroot - the mod_chroot way
   55    mod_chroot allows you to run Apache in a chroot jail with no additional
   56    files. The chroot() system call is performed at the end of startup
   57    procedure - when all libraries are loaded and log files open. There are
   58    still some things you have to keep in mind - see below.
   60    Installation and configuration is covered by INSTALL.
   62 Caveats
   64    Running Apache (and CGI/Perl/PHP) inside a chroot jail can be tricky. Read
   65    CAVEATS for known problems and solutions.
   67    mod_chroot has been tested under Linux 2.4 and FreeBSD 4-STABLE with
   68    Apache 1.3.29. It should work under older versions of Apache 1.3 as well.
   70    Starting from version 0.3, mod_chroot supports Apache 2. It has been
   71    tested with Apache 2.0.51 under Linux 2.4 and FreeBSD 4-STABLE. It should
   72    work under older versions of Apache 2.0 as well. Be sure to read Apache
   73    2.0 notes before using mod_chroot with Apache 2.0
   75 Download
   77    All published version of mod_chroot are available at
   78    http://core.segfault.pl/~hobbit/mod_chroot/dist. Please use the latest
   79    one.
   81 Contact
   83    Mail addresses:
   85      * modchroot-bugs@core.segfault.pl - report bugs here.
   86      * modchroot@core.segfault.pl - mod_chroot mailing list. Questions,
   87        feature requests, announcements should go here.
   88        Send an empty e-mail to modchroot-subscribe@core.segfault.pl to
   89        subscribe. Users who are not subscribed are not allowed to post.
   91    mod_chroot mailing list is also available via GMane (as
   92    gmane.comp.apache.mod-chroot.general). GMane also has a nice archive.
   94 Prior art
   96    I needed a simple module just to perform chroot at startup. Before I
   97    started coding, I found mod_security which does this, among others. I
   98    didn't need URL normalization and other mod_security features so I decided
   99    to create my own module. My code is similar to mod_security, with some
  100    sanity checks added. mod_security is developed by Ivan Ristic.