Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using OpenBSD's chrooted Apache

Posted by Hemos on from the learning-what-to-do dept.

BSD Forums writes "OpenBSD recently changed the mode of operation for the Apache webserver from the normal non-chrooted operation to chrooted operation. This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator. In this article Marc Balmer discusses selected aspects of running a chrooted HTTP daemon and present strategies on how to set up a chrooted environment for more complex applications like database access or using CGI-scripts."

5 of 101 comments (clear)

  1. Hey - you guys broke my httpd.conf file! by dragonfly_blue · · Score: 5, Interesting
    I admittedly hadn't been paying much attention to the changes, but this one crept up and bit me on the ass last week while I was setting some new web servers for our ISP.

    It seems the chrooted Apache configuration in 3.2 is turned on by default, and it prevents cgi mappings from working properly under VirtualHosts directives. I was kind of aggravated; it took a while to figure out what was wrong.

    It's documented in the OpenBSD FAQ, but I couldn't pinpoint the problem to OpenBSD specifically (and the error log was mysteriously unhelpful at diagnosing the problem), so I spent quite a while reading up on Apache directives before I figured it out.

    It was frustrating, but I know Apache considerably better now, so I guess it was worth it. I agree that security is very admirable, which is why I use OpenBSD in the first place, but I think certain options should be turned off by default, especially if they break common services like VirtualHosts cgi ScriptAliases.

    Realistically, are most web servers going to be set up just to host one web site? Or am I the only one who uses VirtualHosts on most of my servers?

    --
    Free music from Jack Merlot.
    1. Re:Hey - you guys broke my httpd.conf file! by ostiguy · · Score: 4, Informative

      Honestly, this is one of the most touted changes to OpenBSD 3.2 - it was absolutely everywhere on the misc@ list, it is in the FAQ, it is the #3 bullet point under the "What's New" page for the 3.2 release. There is really no excuse for not knowing it was coming, and thus knowing it would be a likely reason for old configs to not work

      ostiguy

  2. Re:site is /.'ed by jolan · · Score: 5, Informative

    Yes, if someone gets root, then they can most likely break out of chroot.

    Thankfully, under OpenBSD even the apache parent process does not run as root:

    www 2376 0.0 0.3 1120 1440 ?? Ss Wed08PM 0:05.56 httpd: parent [chroot /var/www] (httpd)
    www 12097 0.0 0.2 1196 1008 ?? I Wed08PM 0:00.02 httpd: child (httpd)

    This means "remote root exploit" in Apache becomes "remote www-user-in-chroot exploit" for OpenBSD.

    It's a very nice feature. I wrote a document on how to get CVSWeb running within the Apache chroot environment recently. I'm guessing Marc's paper is somewhat similar in nature.

    http://marc.theaimsgroup.com/?l=openbsd-misc&m=1 04 900672827459

  3. Recently ? by dnaumov · · Score: 4, Informative

    This isn't exactly a recent change, I believe this happened over 6 months ago...

  4. Why don't the various Linux Dists... by Greyfox · · Score: 4, Interesting

    I've always wondered why the various linux dists don't contain -chroot packages of the various servers that support the chroot environment. Running that way would at least make it a bit more difficult to compromise your system when those inevitable remote exploits are found. If you package them separately, the administrator could choose which ones to run (Though that's not always a good thing.)

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?