httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davide Giunchi <davidegiun...@libero.it>
Subject [users@httpd] Re: chrooted cgi-bin
Date Mon, 02 Dec 2002 17:58:55 GMT

This is what i was searching before using apache in a real-world mass 
VirtualHosting system.
The direct answer to your question is: sbox, you can search for it on 
freshmeat.net .
I've used it, but to permit a little scripting to the users via a chrooted env 
you must compile a little chrooted env that use ~ 20Mb for each VirtualHost 
(libc6, bash, perl with some modules), so you will loose a lot of space.
And then for php? woudn't you like to chroot php too? so you will need to 
compile php too,  so other space is needed, minimum other 10Mb.
Second sbox is a program of 1997, no other's upgrade since now, it works but 
do you trust it for the future? i will use it only if i've a good C and 
suexec.c internal knowledge.
Last but not least every cgi-bin (or php) will need a chroot system call(), 
and this is not a little ovevrhead on a big system.

So after little test i've found that i can grant a big security running wole 
apache on a chroot, protect every user's documentroot with unix permission 
and using suEXEC.
In a chroot you can deny every users to look at /etc/passwd and other 
important files, and with simple permission you can permit to every user to 
look only at his document root and not other's users document, yes it can 
surf on the filesystem but with a chroot you have little files so you can 
control it quickly with unix permission.

Regards.

-- 
Davide Giunchi.
Membro del FoLUG (ForlĂ­ Linux User Group) - http://folug.linux.it
GPG Key available on http://www.keyserver.net 
Fingerprint: 4BFF 2682 6A58 ECFE 071B  A1A4 F2A3 9EFA 6494 81FD


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message