Jarno Gassenbauer said on Fri, May 30, 2003 at 07:56:35PM +0200: > I'm setting up a chrooted apache. All howto's I found > _copy_ the required files into the directory that they > later chroot into. > Is it OK (read: safe) to use hardlinks and > "mount --bind" instead? I don't think so. From what I've seen, you generally want your chroot's on a different filesystem from your "real" system. In that case, hardlinks won't work. > # ln /etc/mime.types /etc/_chroot/apache/mime.types > # <hardlink a few other files in /etc...> > # mount --bind /etc/apache \ > /etc/_chroot/apache/apache > # mount --bind /etc/_chroot/apache \ > /usr/chroot/apache/etc > # mount --bind /usr/lib/apache/1.3 \ > /usr/chroot/apache/usr/lib/apache/1.3 > # mount --bind /var/log/apache \ > /usr/chroot/apache/var/log/apache > # ... I've never considered bind mounts to be a security feature; but they might be? I'd definately be _very_ wary of this... > This would safe some disk space, add file consistency > and allow for use of read-write and read-only mounted > partitions - without dedicating the partitions solely > for apache. The disk space issue is moot unless you're embedded (and if you're embedded, do you really care?)... disk is way cheap, and way big, and an extra 1.5MB of extra space is probably not necessary to worry about. I usually just modify /etc/init.d/foo to built the chroot on start, restart, and reload, copying config files from their normal locations, and then sending signals as appropriate. This means I don't have to think about the chroot, and things Just Work (tm). M
Attachment:
pgpIEWUsz8v76.pgp
Description: PGP signature