Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using OpenBSD's chrooted Apache

Posted by Hemos on Monday April 7, 2003 @12:43AM from the learning-what-to-do dept.

BSD Forums writes "OpenBSD recently changed the mode of operation for the Apache webserver from the normal non-chrooted operation to chrooted operation. This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator. In this article Marc Balmer discusses selected aspects of running a chrooted HTTP daemon and present strategies on how to set up a chrooted environment for more complex applications like database access or using CGI-scripts."

1 of 101 comments (clear)

Min score:

Reason:

Sort:

Re:site is /.'ed by jolan · 2003-04-07 01:17 · Score: 5, Informative

Yes, if someone gets root, then they can most likely break out of chroot.

Thankfully, under OpenBSD even the apache parent process does not run as root:

www 2376 0.0 0.3 1120 1440 ?? Ss Wed08PM 0:05.56 httpd: parent [chroot /var/www] (httpd)
www 12097 0.0 0.2 1196 1008 ?? I Wed08PM 0:00.02 httpd: child (httpd)

This means "remote root exploit" in Apache becomes "remote www-user-in-chroot exploit" for OpenBSD.

It's a very nice feature. I wrote a document on how to get CVSWeb running within the Apache chroot environment recently. I'm guessing Marc's paper is somewhat similar in nature.

http://marc.theaimsgroup.com/?l=openbsd-misc&m=1 04 900672827459