|
This blog has moved! Please update your bookmarks to http://www.blog.modsecurity.org. |
« URL decoding bug fixed | Main | Fun with PHP CLI scripts »
Posted by ivanr on June 09, 2003.
I've added a new (and experimental) feature to mod_security (CVS and Apache 1.x only at the moment) that greatly simplifies the process of chrooting in most cases.
Essentially, the chroot call is made from Apache itself, at the very end of the initialisation process. The beauty of it is that Apache performs everything it needs (shared libraries, log files) before the chroot call and that allows you to put only data files into the jail.
I've written a short article here:
http://www.modsecurity.org/documentation/apache-internal-chroot.html
and the link in CVS is (again, only Apache 1.x):
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/mod-security/mod_security/apache1/mod_security.c?rev=1.4
What I have described works perfectly for me but I am interested to hear other opinions (or experiences). If you are interested please give it a try and let me know how you feel.
Posted by ivanr at June 9, 2003 08:32 PM
Hi, I'd like to try your chroot method. But one question: if my document root is set to /home/httpd/htdocs, then does it mean that I simply need to add the following line to apache.conf?
SecChrootDir /home/httpd
Kenneth
(|:-)
Posted by: Kenneth Wong at July 30, 2003 09:03 AM
Yes. However, from the point of view of the Apache all paths will change. So you will probably need to change "DocumentRoot /home/httpd/docs" to "DocumentRoot /docs".
Posted by: Ivan Ristic at July 31, 2003 05:16 PM
Hello. Just forgot to says that it works. And thanks for your mod_security and help!
Posted by: Kenneth Wong at October 15, 2003 02:37 AM