Re: putting Apache into chroot()-prison
"R. M. Lampert" wrote:
>
> Hi, folks!
>
> Due to some very unpleasant experience in the company
> I'm working at (rootshell attack due to a buffer overflow
> intrusion in httpd...) there's a great need with us
> to inform thoroughly about changing to a safer environment,
> that is LAMP or even better NAMP (NetBSD, Apache ... there
> are some very unpalatable truths in the world, indeed!).
>
> Of topmost interest is building Apache and everything
> that is associated with it (particularly MySQL, PHP, Perl)
> within a chroot() environment to lock intruders within
> this special ,,root directory``.
>
> Do you know any pointer to chroot()-information that includes
> some kind of HOWTO rather than a list of advantages of this
> approach?
not to discourage youb ut its pretty well known chroot() is not
an ultimate solution for security, it has been in the past
rather easy to break out of it, from what i remember you
may be better off running freebsd and it's jail() (??)
function which is a suped up chroot(). all im trying to say
is don't expect chroot() to improve seucrity much, a determined
cracker can defeat it(esp on linux) pretty easy. search BUGTRAQ
for the discussions on the latest BIND problems(probably
about 6 months ago..) interesting discussions.
nate
--
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org
Reply to: