Current time: 11-27-2024, 10:53 AM Hello There, Guest! (LoginRegister)


Post Reply 
Apache & Suexec security [chroot]
Author Message
pcarboni Offline
Newbie
*

Posts: 8
Joined: Nov 2006
Reputation: 0
Post: #1
Apache & Suexec security [chroot]
Did anybody think about using apache + suexec with a chrooted version of suexec? [suexec chroot'ing every cgi into its own DocumentRoot for every virtual host]

I think if we've got running that kind of thing, it will be a GREAT STUFF!

Pablo.
11-01-2006 07:49 AM
Visit this user's website Find all posts by this user Quote this message in a reply
MicCo Offline
Moderator
*****
Moderators

Posts: 277
Joined: Oct 2006
Reputation: 1
Post: #2
RE: Apache & Suexec security [chroot]
Hi pcarboni,

Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.

Look at this : http://www.x-panel.de/forum/showthread.p...pid=9#pid9
(This post was last modified: 11-01-2006 07:59 AM by MicCo.)
11-01-2006 07:54 AM
Visit this user's website Find all posts by this user Quote this message in a reply
pcarboni Offline
Newbie
*

Posts: 8
Joined: Nov 2006
Reputation: 0
Post: #3
RE: Apache & Suexec security [chroot]
MicCo Wrote:Hi pcarboni,

Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.

Ok, there are several patches over internet. (apache 1.3.x and 2.0.x)

Are you using any of those patches? Maybe a customized patch?

Maybe we must write an own patch?

Pablo.
11-01-2006 08:00 AM
Visit this user's website Find all posts by this user Quote this message in a reply
MicCo Offline
Moderator
*****
Moderators

Posts: 277
Joined: Oct 2006
Reputation: 1
Post: #4
RE: Apache & Suexec security [chroot]
I'm sure Quix0r have his head in the right direction and some thing on his mind for that.
11-01-2006 08:03 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #5
RE: Apache & Suexec security [chroot]
We're already working on fastcgi & suexec support.

let's see, what we can add here in terms of chrootWink
11-01-2006 09:32 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Quix0r Offline
Junior Member
*

Posts: 33
Joined: Oct 2006
Reputation: 0
Post: #6
RE: Apache & Suexec security [chroot]
Jupp, chroot is not yet implemented. Smile
11-04-2006 04:27 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Alexey Offline
Junior Member
*

Posts: 19
Joined: Feb 2007
Reputation: 0
Post: #7
RE: Apache & Suexec security [chroot]
chroot is need yes
i'm trying once to make it' but do not get success
will try again
look to mod_chroot for apache
02-03-2007 03:36 PM
Find all posts by this user Quote this message in a reply
dannato Offline


Posts: 2
Joined: Feb 2007
Reputation: 0
Post: #8
RE: Apache & Suexec security [chroot]
Hi,
any news about virtualhost chroot?


Regards
02-16-2007 05:22 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BioALIEN Offline
Public Relations Officer
*****
Dev Team

Posts: 620
Joined: Feb 2007
Reputation: 5
Post: #9
RE: Apache & Suexec security [chroot]
The developers here are on the ball. They are attacking all the right security risks and I believe chrooted suexec is an important step Smile
02-27-2007 10:22 PM
Find all posts by this user Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #10
RE: Apache & Suexec security [chroot]
Yes it is - but solutions to that are not as easy as it seems (for cgi).

We're investigating sbox and a few other scripts laying around.
But all have a huge overhead - so we're looking for something smart and portable (we don't want to include more secondary binary code than necessary) In fact we even have nothing platform depend included (except our daemon).

The problem is not to keep the chroot for the cgi small on start - it's more a problem of the users who want to execute perl or so - they then need to download big binary packages into their webspace ... (because they can't access anything outside)

If anyone got a smart solution for this you're more than welcome !
02-28-2007 12:11 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)