httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Pierce <>
Subject Re: [users@httpd] Re: chrooted cgi-bin
Date Tue, 03 Dec 2002 16:49:29 GMT
So basically between using the perchild module (for server side include apps
like php, etc) and Sbox (using mod_rewrite) I can have an virtual host look/feel
like it's the only thing on the box.  All this with minor excess system resources,

btw, when you are setting up loopback filesystem mounts are you setting up nfs
mounts?!?!  Wouldn't that take up a BUNCH more memory that just doing "ln -h
/home/chroot_usr /home/"?

- Chuck

On Tue, Dec 03, 2002 at 09:38:03AM +0700, Alain Fauconnet wrote:
> Just my 0.02 Euro:
> > As for file space is concerned, I can setup a chroot_usr directory that I hard
> > link to the users home directory as usr.  So when they reference /usr/bin/perl it
> > work (and I won't need a bunch of copies of perl).
> Hard links or loopback filesystems mounts. I use the latter because  I
> find them more transparent and possibly more robust.
> > 
> > Now, my question is this; how much overhead were you talking about for the chrooted
> > system calls?  I was under the assumption that it just took up more memory (to
> > exec another shell).
> Exec  another  shell? Pardon? This is not needed at all. The chroot(2)
> system call just does that: changing the  root  location.  It  doesn't
> fork a new shell. Sbox calls chroot(2) just before  exec'ing  the  CGI
> script,  so  there's  no extra process overhead. I can't comment about
> the overhead of chroot itself, but my experience on a quite  busy  web
> server  is  that the load hasn't significantly increased after I began
> using Sbox.
> > > And then for php? woudn't you like to chroot php too? so you will need to 
> > > compile php too,  so other space is needed, minimum other 10Mb.
> Sbox  only  applies  to CGI interface, which PHP normally isn't unless
> you   compile   it   this   way   (and  break  a  lot  of  PHP  code).
> PHP has its 'safe mode' the achieve roughly the same  effect  (I  *do*
> understand that there are a lot of differences).
> > > Second sbox is a program of 1997, no other's upgrade since now, it works but

> > > do you trust it for the future? i will use it only if i've a good C and 
> > > suexec.c internal knowledge.
> Good point, although the design of Sbox is simple and robust enough so
> that no updates are really needed. The CGI interface is not likely  to
> change.
> Sbox's main gotcha is its file size resource limitation. It will limit
> the size of its own log file and Apache's log files,  which  makes  it
> for an easy DoS attack or problems for lazy sysadmins not rotating log
> files!
> Greets,
> _Alain_

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message