"Fossies" - the Fresh Open Source Software Archive
As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard
) with prefixed line numbers.
Alternatively you can here view
the uninterpreted source code file.
3 What is it?
5 mod_chroot makes running Apache in a secure chroot environment easy. You
6 don't need to create a special directory hierarchy containing /dev, /lib,
9 mod_chroot is now included in
11 * FreeBSD
12 * DarwinPorts
13 * PLD Linux
14 * Gentoo Linux
15 * Debian testing/unstable
16 * NetBSD
18 Many thanks to all package maintainers!
20 Why chroot?
22 For security.
24 chroot(2) changes the root directory of a process to a directory other
25 than "/". It means the process is locked inside a virtual filesystem root.
26 If you configure your chroot jail properly, Apache and its child processes
27 (think CGI scripts) won't be able to access anything except the jail.
29 A non-root process is not able to leave a chroot jail. Still it's not wise
30 to put device files, suid binaries or hardlinks inside the jail.
32 chroot - the hard way
34 There are many documents about running programs inside a chroot jail. Some
35 daemons (tinydns, dnscache, vsftpd) support it out of the box. For others
36 (like Apache) you need to carefully build a "virtual root", containing
37 every file the program may need. This usually includes:
39 * C library
40 * various other libraries (libssl? libm? libmysqlclient?)
41 * resolver configuration files (/etc/nsswitch.conf, /etc/resolv.conf)
42 * user files (/etc/passwd, /etc/group)
43 * separate directory for log files
44 * additional modules needed by the program (for Apache: mod_php and
45 other modules)
47 Creating this structure is great fun. Run the program, read the error
48 message, copy the missing file, start over. Now think about upgrading -
49 you have to keep your "virtual root" current - if there is a bug in
50 libssl, you need to put a new version in two places. Scared enough? Read
53 chroot - the mod_chroot way
55 mod_chroot allows you to run Apache in a chroot jail with no additional
56 files. The chroot() system call is performed at the end of startup
57 procedure - when all libraries are loaded and log files open. There are
58 still some things you have to keep in mind - see below.
60 Installation and configuration is covered by INSTALL.
64 Running Apache (and CGI/Perl/PHP) inside a chroot jail can be tricky. Read
65 CAVEATS for known problems and solutions.
67 mod_chroot has been tested under Linux 2.4 and FreeBSD 4-STABLE with
68 Apache 1.3.29. It should work under older versions of Apache 1.3 as well.
70 Starting from version 0.3, mod_chroot supports Apache 2. It has been
71 tested with Apache 2.0.51 under Linux 2.4 and FreeBSD 4-STABLE. It should
72 work under older versions of Apache 2.0 as well. Be sure to read Apache
73 2.0 notes before using mod_chroot with Apache 2.0
77 All published version of mod_chroot are available at
78 http://core.segfault.pl/~hobbit/mod_chroot/dist. Please use the latest
83 Mail addresses:
85 * email@example.com - report bugs here.
86 * firstname.lastname@example.org - mod_chroot mailing list. Questions,
87 feature requests, announcements should go here.
88 Send an empty e-mail to email@example.com to
89 subscribe. Users who are not subscribed are not allowed to post.
91 mod_chroot mailing list is also available via GMane (as
92 gmane.comp.apache.mod-chroot.general). GMane also has a nice archive.
94 Prior art
96 I needed a simple module just to perform chroot at startup. Before I
97 started coding, I found mod_security which does this, among others. I
98 didn't need URL normalization and other mod_security features so I decided
99 to create my own module. My code is similar to mod_security, with some
100 sanity checks added. mod_security is developed by Ivan Ristic.