Comments on Chrooting Apache2 With mod_chroot On Debian Etch

Chrooting Apache2 With mod_chroot On Debian Etch This guide explains how to set up mod_chroot with Apache2 on a Debian Etch system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications.

5 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By:
Reply  

Actually Chroot was designed as a way of privilege separation which in it self is a security measure, meaning compromise of an application does not compromise the entire system (similar principle with Mandatory access schemes like Selinux) http://en.wikipedia.org/wiki/Chroot

By:
Reply  

chroot is for sandboxing build processes. It's not a security tool. 

http://kerneltrap.org/Linux/Abusing_chroot

Alain Cox stated that "chroot is not and never has been a security tool. People have built things based upon the properties of chroot but extended (BSD jails, Linux vserver) but they are quite different."


By:
Reply  

Hi,

Thanks for great (as always) tutorial. Unfortunately I can't agree with your statement "With mod_chroot, you can run Apache2 in a secure chroot environment [..]". Chroot is not a security tool, you can rely on it in terms of security. It wasn't designed with security purposes in mind, so it's behavior can change without notice ;)

By:
Reply  

Hi

 Doing a symlink inside a jail is not a good idea... but could be an easy way to do.

But my apache told me that

 [Tue Mar 18 18:47:23 2008] [error] [client xxxxx] Symbolic link not allowed or link target not accessible: /web

After few research I found that old discussion  http://osdir.com/ml/apache.mod-chroot.general/2005-12/msg00006.html

Nevermind, how do you success to make symlink working ?  

By: srn
Reply  

Hi all,

Question:

If one compromises your apache installation an runs an exploit which gives him root access,

can he access the real filesystem?