+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Apache & Suexec security [chroot] (/thread-26.html)
Apache & Suexec security [chroot] - pcarboni - 11-01-2006 07:49 AM
Did anybody think about using apache + suexec with a chrooted version of suexec? [suexec chroot'ing every cgi into its own DocumentRoot for every virtual host]
I think if we've got running that kind of thing, it will be a GREAT STUFF!
Pablo.
RE: Apache & Suexec security [chroot] - MicCo - 11-01-2006 07:54 AM
Hi pcarboni,
Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.
Look at this : http://www.x-panel.de/forum/showthread.php?tid=4&pid=9#pid9
RE: Apache & Suexec security [chroot] - pcarboni - 11-01-2006 08:00 AM
MicCo Wrote:Hi pcarboni,
Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.
Ok, there are several patches over internet. (apache 1.3.x and 2.0.x)
Are you using any of those patches? Maybe a customized patch?
Maybe we must write an own patch?
Pablo.
RE: Apache & Suexec security [chroot] - MicCo - 11-01-2006 08:03 AM
I'm sure Quix0r have his head in the right direction and some thing on his mind for that.
RE: Apache & Suexec security [chroot] - ephigenie - 11-01-2006 09:32 AM
We're already working on fastcgi & suexec support.
let's see, what we can add here in terms of chroot
RE: Apache & Suexec security [chroot] - Quix0r - 11-04-2006 04:27 AM
Jupp, chroot is not yet implemented.
RE: Apache & Suexec security [chroot] - Alexey - 02-03-2007 03:36 PM
chroot is need yes
i'm trying once to make it' but do not get success
will try again
look to mod_chroot for apache
RE: Apache & Suexec security [chroot] - dannato - 02-16-2007 05:22 AM
Hi,
any news about virtualhost chroot?
Regards
RE: Apache & Suexec security [chroot] - BioALIEN - 02-27-2007 10:22 PM
The developers here are on the ball. They are attacking all the right security risks and I believe chrooted suexec is an important step
RE: Apache & Suexec security [chroot] - ephigenie - 02-28-2007 12:11 AM
Yes it is - but solutions to that are not as easy as it seems (for cgi).
We're investigating sbox and a few other scripts laying around.
But all have a huge overhead - so we're looking for something smart and portable (we don't want to include more secondary binary code than necessary) In fact we even have nothing platform depend included (except our daemon).
The problem is not to keep the chroot for the cgi small on start - it's more a problem of the users who want to execute perl or so - they then need to download big binary packages into their webspace ... (because they can't access anything outside)
If anyone got a smart solution for this you're more than welcome !