On Thu, 2005-12-15 at 03:02 +0100, Andreas Bartelt wrote: > Hi, > > James Strandboge wrote: > ... > >>While we're at systrace, I was wondering - could systrace reduce the risks > >>associated with running apache with PHP? > > > > > > Default apache is already chrooted, so systracing it won't be as much of > > a win as systracing processes not in a chroot. That said, you can > > definitely add another layer and protect your apache chroot area by > > systracing it, sure. chrooting and/or systracing every internet facing > > server is not a bad idea at all. > > > > Apache forks children with reduced priviledges (user www) while, at the > same time, there's always an Apache process running as root. Therefore, > a useful systrace policy for Apache probably won't be easy to write.
No, apache is not running as root, parent or children: $ ps auxww|grep [h]ttpd www 2651 0.0 0.3 1736 3368 ?? Ss 4Dec05 0:17.69 httpd: parent [chroot /var/www] (httpd) www 10443 0.0 0.3 1872 2612 ?? I 4Dec05 0:00.11 httpd: child (httpd) www 17711 0.0 0.3 1872 2564 ?? I 4Dec05 0:00.46 httpd: child (httpd) www 23046 0.0 0.3 1864 2644 ?? I 4Dec05 0:00.17 httpd: child (httpd) www 24669 0.0 0.3 1860 2564 ?? I 4Dec05 0:00.13 httpd: child (httpd) www 641 0.0 0.3 1852 2604 ?? I 4Dec05 0:00.19 httpd: child (httpd) www 25713 0.0 0.2 1840 2432 ?? I 4Dec05 0:00.25 httpd: child (httpd) www 13373 0.0 0.3 1860 2608 ?? I 4Dec05 0:00.09 httpd: child (httpd) www 11325 0.0 0.3 1860 2616 ?? I 4Dec05 0:00.14 httpd: child (httpd) www 31995 0.0 0.2 1836 2416 ?? I 4Dec05 0:00.22 httpd: child (httpd) www 25412 0.0 0.3 1864 2604 ?? I 4Dec05 0:00.23 httpd: child (httpd) As for systracing a process running as root-- I do it all the time and the benefits are an effective jail for a root process. If you are concerned about a root process using setuid to a uid with lower privilege, systrace can do that with no problem. Jamie
