Threaded Mode | Linear Mode

pcarboni · 11-01-2006 07:49 AM

Did anybody think about using apache + suexec with a chrooted version of suexec? [suexec chroot'ing every cgi into its own DocumentRoot for every virtual host]

I think if we've got running that kind of thing, it will be a GREAT STUFF!

Pablo.

**MicCo** · 11-01-2006 07:54 AM

Hi pcarboni,

Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.

Look at this : http://www.x-panel.de/forum/showthread.p...pid=9#pid9

pcarboni · 11-01-2006 08:00 AM

MicCo Wrote:Hi pcarboni,

Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.

Ok, there are several patches over internet. (apache 1.3.x and 2.0.x)

Are you using any of those patches? Maybe a customized patch?

Maybe we must write an own patch?

Pablo.

**MicCo** · 11-01-2006 08:03 AM

I'm sure Quix0r have his head in the right direction and some thing on his mind for that.

***ephigenie*** · 11-01-2006 09:32 AM

We're already working on fastcgi & suexec support.

let's see, what we can add here in terms of chroot Wink

Quix0r · 11-04-2006 04:27 AM

Jupp, chroot is not yet implemented. Smile

Alexey · 02-03-2007 03:36 PM

chroot is need yes
i'm trying once to make it' but do not get success
will try again
look to mod_chroot for apache

dannato · 02-16-2007 05:22 AM

Hi,
any news about virtualhost chroot?

Regards

**BioALIEN** · 02-27-2007 10:22 PM

The developers here are on the ball. They are attacking all the right security risks and I believe chrooted suexec is an important step Smile

***ephigenie*** · 02-28-2007 12:11 AM

Yes it is - but solutions to that are not as easy as it seems (for cgi).

We're investigating sbox and a few other scripts laying around.
But all have a huge overhead - so we're looking for something smart and portable (we don't want to include more secondary binary code than necessary) In fact we even have nothing platform depend included (except our daemon).

The problem is not to keep the chroot for the cgi small on start - it's more a problem of the users who want to execute perl or so - they then need to download big binary packages into their webspace ... (because they can't access anything outside)

If anyone got a smart solution for this you're more than welcome !

Threaded Mode \| Linear Mode Apache & Suexec security [chroot]
Author	Message