Hi Jan > there are multiple ways to break out of a chroot-jail (example: > http://www.bpfh.net/simes/computing/chroot-break.html). So don't rely > on chroot's "security". > > In my opinion I can't recommend chrooting a apache because: > - time (chrooting apache costs a lot of time) > - complexity -> unstable (if you forget to cpy a lib to the chroot env > apache crashes during usage) > - obsecurity > > If you need a webserver with a good protection you should consider using > SELinux for example. This is a bit better security. But of course - the > complexity is far more harder then a chroot... > If SELinux is too much for you, use a virtual machine and secure the > apache with nice settings, mod_security, php-ids and similiar > technologies. I think I'd do it like that... just my 2 cents.
Yes, if you would like to have a secure and easy manageable chroot, use Linux-VServer [1] & [2] or OpenVZ [3]. As far as I know at least the Linux-VServer works with a "hardened" Kernel. > sysspoof > > >> Hello, >> I would like to see some opinions on chrooting - >> >> 1) how big are possible risks of hardened gentoo system compromise, > if apache >> is run normally, therefore a need of chrooting? >> >> 2) suppose I chroot Apache: what chances it still has to harm >> something in the >> outside OS? My knowledge about various system capabilities, network > etc is >> too little, so enlighten me... And how big is an Apache chroot? >> >> And by the way, how big are the risks for sshd and ntpd to open up > a way into >> the hardened gentoo system? If you use one of the mentioned virtualization approaches above, the sshd and ntpd daemons are running on the host and aren't required/recommended to run within the chroot (vserver). > Can that recent ntp glsa be ignored, if its >> hardened with memory protections? >> >> Jan [1]http://linux-vserver.org [2]http://www.gentoo.org/proj/en/vps/vserver-howto.xml [3]http://wiki.openvz.org regards Chris
