"Fossies" - the Fresh Open Source Software Archive

Member "mod_chroot-0.5/README" (12 Jun 2005, 3795 Bytes) of package /linux/www/apache_httpd_modules/old/mod_chroot-0.5.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1                                    mod_chroot
    2 
    3 What is it?
    4 
    5    mod_chroot makes running Apache in a secure chroot environment easy. You
    6    don't need to create a special directory hierarchy containing /dev, /lib,
    7    /etc...
    8 
    9    mod_chroot is now included in
   10 
   11      * FreeBSD
   12      * DarwinPorts
   13      * PLD Linux
   14      * Gentoo Linux
   15      * Debian testing/unstable
   16      * NetBSD
   17 
   18    Many thanks to all package maintainers!
   19 
   20 Why chroot?
   21 
   22    For security.
   23 
   24    chroot(2) changes the root directory of a process to a directory other
   25    than "/". It means the process is locked inside a virtual filesystem root.
   26    If you configure your chroot jail properly, Apache and its child processes
   27    (think CGI scripts) won't be able to access anything except the jail.
   28 
   29    A non-root process is not able to leave a chroot jail. Still it's not wise
   30    to put device files, suid binaries or hardlinks inside the jail.
   31 
   32 chroot - the hard way
   33 
   34    There are many documents about running programs inside a chroot jail. Some
   35    daemons (tinydns, dnscache, vsftpd) support it out of the box. For others
   36    (like Apache) you need to carefully build a "virtual root", containing
   37    every file the program may need. This usually includes:
   38 
   39      * C library
   40      * various other libraries (libssl? libm? libmysqlclient?)
   41      * resolver configuration files (/etc/nsswitch.conf, /etc/resolv.conf)
   42      * user files (/etc/passwd, /etc/group)
   43      * separate directory for log files
   44      * additional modules needed by the program (for Apache: mod_php and
   45        other modules)
   46 
   47    Creating this structure is great fun. Run the program, read the error
   48    message, copy the missing file, start over. Now think about upgrading -
   49    you have to keep your "virtual root" current - if there is a bug in
   50    libssl, you need to put a new version in two places. Scared enough? Read
   51    on.
   52 
   53 chroot - the mod_chroot way
   54 
   55    mod_chroot allows you to run Apache in a chroot jail with no additional
   56    files. The chroot() system call is performed at the end of startup
   57    procedure - when all libraries are loaded and log files open. There are
   58    still some things you have to keep in mind - see below.
   59 
   60    Installation and configuration is covered by INSTALL.
   61 
   62 Caveats
   63 
   64    Running Apache (and CGI/Perl/PHP) inside a chroot jail can be tricky. Read
   65    CAVEATS for known problems and solutions.
   66 
   67    mod_chroot has been tested under Linux 2.4 and FreeBSD 4-STABLE with
   68    Apache 1.3.29. It should work under older versions of Apache 1.3 as well.
   69 
   70    Starting from version 0.3, mod_chroot supports Apache 2. It has been
   71    tested with Apache 2.0.51 under Linux 2.4 and FreeBSD 4-STABLE. It should
   72    work under older versions of Apache 2.0 as well. Be sure to read Apache
   73    2.0 notes before using mod_chroot with Apache 2.0
   74 
   75 Download
   76 
   77    All published version of mod_chroot are available at
   78    http://core.segfault.pl/~hobbit/mod_chroot/dist. Please use the latest
   79    one.
   80 
   81 Contact
   82 
   83    Mail addresses:
   84 
   85      * modchroot-bugs@core.segfault.pl - report bugs here.
   86      * modchroot@core.segfault.pl - mod_chroot mailing list. Questions,
   87        feature requests, announcements should go here.
   88        Send an empty e-mail to modchroot-subscribe@core.segfault.pl to
   89        subscribe. Users who are not subscribed are not allowed to post.
   90 
   91    mod_chroot mailing list is also available via GMane (as
   92    gmane.comp.apache.mod-chroot.general). GMane also has a nice archive.
   93 
   94 Prior art
   95 
   96    I needed a simple module just to perform chroot at startup. Before I
   97    started coding, I found mod_security which does this, among others. I
   98    didn't need URL normalization and other mod_security features so I decided
   99    to create my own module. My code is similar to mod_security, with some
  100    sanity checks added. mod_security is developed by Ivan Ristic.