Re: Advice Needed On Recent Rootings
On Tue, Jun 03, 2003 at 10:02:09AM -0400, Phillip Hofmeister wrote:
> On Mon, 02 Jun 2003 at 03:38:21PM -0500, Adam Majer wrote:
> > With something like sendmail or apache, it only needs to see a very
> > limited part of the file system, so even braking these will not do
> > any real damage.
> Don't get too over confident about chrooting Apache. One Apache process
> runs as root. This means if there is an exploit that sends arbitrary
> code across the shared scoreboard it could be ran as root and break out
> of the jail.
First, sorry for my very late reply :) I'm just reading the
messages here now...
Anyway, I wasn't talking about chroot. I was talking about
grsecurity and ACLs (I think). Then you specify what each
process is allowed to do and see (even root cannot get passed that).
You can make Apache see only the directories that you want it
to see. You can also specify that Apache cannot initiate a connection
(except to trusted nameserver for instance) and it can only listen on port 80.
With other features of grsecurity like stack randomization, Apache
becomes pretty much explot-proof...