Using OpenBSD's chrooted Apache

BSD Forums writes "OpenBSD recently changed the mode of operation for the Apache webserver from the normal non-chrooted operation to chrooted operation. This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator. In this article Marc Balmer discusses selected aspects of running a chrooted HTTP daemon and present strategies on how to set up a chrooted environment for more complex applications like database access or using CGI-scripts."

Re:Hey - you guys broke my httpd.conf file!

[ostiguy]

Honestly, this is one of the most touted changes to OpenBSD 3.2 - it was absolutely everywhere on the misc@ list, it is in the FAQ, it is the #3 bullet point under the "What's New" page for the 3.2 release. There is really no excuse for not knowing it was coming, and thus knowing it would be a likely reason for old configs to not work

ostiguy

Re:site is /.'ed

[jolan]

Yes, if someone gets root, then they can most likely break out of chroot.

Thankfully, under OpenBSD even the apache parent process does not run as root:

www 2376 0.0 0.3 1120 1440 ?? Ss Wed08PM 0:05.56 httpd: parent [chroot /var/www] (httpd)
www 12097 0.0 0.2 1196 1008 ?? I Wed08PM 0:00.02 httpd: child (httpd)

This means "remote root exploit" in Apache becomes "remote www-user-in-chroot exploit" for OpenBSD.

It's a very nice feature. I wrote a document on how to get CVSWeb running within the Apache chroot environment recently. I'm guessing Marc's paper is somewhat similar in nature.

http://marc.theaimsgroup.com/?l=openbsd-misc&m=1 04 900672827459

Recently ?

[dnaumov]

This isn't exactly a recent change, I believe this happened over 6 months ago...