You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Farid Izem <fa...@gmail.com> on 2005/03/01 13:47:49 UTC
Re: [users@httpd] Problem Starting Apache Chrooted
Hi, i already solve the problem using google.
In fact, i just have to do this :
mknod /var/jail/dev/null c 1 3
chmod 666 /var/jail/dev/null
Everything works well now.
Kind Regards,
Farid
On Mon, 28 Feb 2005 11:20:14 -0800, John N. Brahy <jb...@ad2.com> wrote:
> Hello Farid,
>
> The problem that I see is that you don't have all the necessary files in
> your chroot. Then you chroot an application, it is not able to access
> anything beyond the chroot. So, you'll notice when it's trying to find
> /etc/ld.so.preload it's getting a -1 ENOENT (no such file or directory)
> error. If you are going to use /var/jail, you will have to copy all the
> files that you will need into that directory. I.E. copy
> /etc/ld.so.preload to /var/jail/etc/ld.so.preload. I'd follow the strace
> and do that for every file not found error you run across.
>
> Hope that helps,
>
> John
>
>
> chroot("/var/jail") = 0
> chdir("/") = 0
> execve("/usr/local/apache/bin/httpd", ["/usr/local/apache/bin/httpd"],
> [/* 30 vars */]) = 0
> brk(0) = 0x80c2e08
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x40015000
> open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> directory)
>
> :::::: John Brahy
> :::::: CIO
> :::::: ad2, Inc.
>
>
> -----Original Message-----
> From: Farid Izem [mailto:farid.izem@gmail.com]
> Sent: Saturday, February 26, 2005 3:26 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Problem Starting Apache Chrooted
>
> Hi all,
>
> I try to chroot apache 2.0.50 under Linux Slackware 10.
>
> Using Slackware 10.0 Kernel 2.4.26 with Apache/2.0.50 built in mysql
> and php (php is disabled).
> Server version: Apache/2.0.50
> Server built: Sep 19 2004 19:06:27
>
> I try to start apache chrooted in the following ways :
> /usr/sbin/chroot /var/jail /usr/local/apache/bin/httpd
>
> The httpd server doesn't start anymore. This is the message i get from
> the error log :
>
> [Sat Feb 26 12:57:11 2005] [crit] (2)No such file or directory:
> apr_proc_detach failed
> Pre-configuration failed
>
> please find the output of strace function when starting apache :
>
> strace /usr/sbin/chroot /var/jail /usr/local/apache/bin/httpd
> execve("/usr/sbin/chroot", ["/usr/sbin/chroot", "/var/jail",
> "/usr/local/apache/bin/httpd"], [/* 30 vars */]) = 0
> brk(0) = 0x804bd4c
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x40015000
> open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=66177, ...}) = 0
> old_mmap(NULL, 66177, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40016000
> close(3) = 0
> open("/lib/libc.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Y\1"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1250840, ...}) = 0
> old_mmap(NULL, 1237892, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40027000
> mprotect(0x4014f000, 25476, PROT_NONE) = 0
> old_mmap(0x4014f000, 16384, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x128000) = 0x4014f000
> old_mmap(0x40153000, 9092, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40153000
> close(3) = 0
> munmap(0x40016000, 66177) = 0
> open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1
> ENOENT (No such file or directory)
> brk(0) = 0x804bd4c
> brk(0x804cd4c) = 0x804cd4c
> brk(0) = 0x804cd4c
> brk(0x804d000) = 0x804d000
> open("/usr/share/locale/locale.alias", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x40016000
> read(3, "# Locale name alias data base.\n#"..., 4096) = 2601
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x40016000, 4096) = 0
> open("/usr/lib/locale/en_US/LC_IDENTIFICATION", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=370, ...}) = 0
> old_mmap(NULL, 370, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40016000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_MEASUREMENT", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=28, ...}) = 0
> old_mmap(NULL, 28, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_TELEPHONE", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0
> old_mmap(NULL, 64, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_ADDRESS", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
> old_mmap(NULL, 160, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40019000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_NAME", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0
> old_mmap(NULL, 82, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001a000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_PAPER", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=39, ...}) = 0
> old_mmap(NULL, 39, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001b000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_MESSAGES", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
> old_mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001c000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_MONETARY", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=291, ...}) = 0
> old_mmap(NULL, 291, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001d000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_TIME", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=2456, ...}) = 0
> old_mmap(NULL, 2456, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001e000
> close(3) = 0
> brk(0) = 0x804d000
> brk(0x804e000) = 0x804e000
> open("/usr/lib/locale/en_US/LC_NUMERIC", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
> old_mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001f000
> close(3) = 0
> open("/usr/lib/locale/en_US/LC_CTYPE", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=178468, ...}) = 0
> old_mmap(NULL, 178468, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40156000
> close(3) = 0
> chroot("/var/jail") = 0
> chdir("/") = 0
> execve("/usr/local/apache/bin/httpd", ["/usr/local/apache/bin/httpd"],
> [/* 30 vars */]) = 0
> brk(0) = 0x80c2e08
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x40015000
> open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/usr/local/apache/lib/i686/mmx/libaprutil-0.so.0", O_RDONLY) =
> -1 ENOENT (No such file or directory)
> stat64("/usr/local/apache/lib/i686/mmx", 0xbfffed40) = -1 ENOENT (No
> such file or directory)
> open("/usr/local/apache/lib/i686/libaprutil-0.so.0", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat64("/usr/local/apache/lib/i686", 0xbfffed40) = -1 ENOENT (No such
> file or directory)
> open("/usr/local/apache/lib/mmx/libaprutil-0.so.0", O_RDONLY) = -1
> ENOENT (No such file or directory)
> stat64("/usr/local/apache/lib/mmx", 0xbfffed40) = -1 ENOENT (No such
> file or directory)
> open("/usr/local/apache/lib/libaprutil-0.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Q\0"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=740946, ...}) = 0
> old_mmap(NULL, 85512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40016000
> mprotect(0x4002a000, 3592, PROT_NONE) = 0
> old_mmap(0x4002a000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x13000) = 0x4002a000
> close(3) = 0
> open("/usr/local/apache/lib/libgdbm.so.3", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\20"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=19636, ...}) = 0
> old_mmap(NULL, 22252, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x4002b000
> mprotect(0x40030000, 1772, PROT_NONE) = 0
> old_mmap(0x40030000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x4000) = 0x40030000
> close(3) = 0
> open("/usr/local/apache/lib/libdb-4.2.so", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0pi\1\000"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=867492, ...}) = 0
> old_mmap(NULL, 863836, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40031000
> mprotect(0x40102000, 7772, PROT_NONE) = 0
> old_mmap(0x40102000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0xd1000) = 0x40102000
> close(3) = 0
> open("/usr/local/apache/lib/libexpat.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P!\0\000"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=126996, ...}) = 0
> old_mmap(NULL, 129828, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40104000
> mprotect(0x40121000, 11044, PROT_NONE) = 0
> old_mmap(0x40121000, 12288, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x1c000) = 0x40121000
> close(3) = 0
> open("/usr/local/apache/lib/libapr-0.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\206"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1322943, ...}) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x40124000
> old_mmap(NULL, 129000, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40125000
> mprotect(0x40143000, 6120, PROT_NONE) = 0
> old_mmap(0x40143000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x1d000) = 0x40143000
> old_mmap(0x40144000, 2024, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40144000
> close(3) = 0
> open("/usr/local/apache/lib/librt.so.1", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\32"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=25976, ...}) = 0
> old_mmap(NULL, 72536, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40145000
> mprotect(0x4014b000, 47960, PROT_NONE) = 0
> old_mmap(0x4014b000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x5000) = 0x4014b000
> old_mmap(0x4014c000, 43864, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014c000
> close(3) = 0
> open("/usr/local/apache/lib/libm.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0206\0"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=139240, ...}) = 0
> old_mmap(NULL, 136768, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40157000
> mprotect(0x40178000, 1600, PROT_NONE) = 0
> old_mmap(0x40178000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x20000) = 0x40178000
> close(3) = 0
> open("/usr/local/apache/lib/libcrypt.so.1", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \n\0\000"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=18992, ...}) = 0
> old_mmap(NULL, 181600, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40179000
> mprotect(0x4017e000, 161120, PROT_NONE) = 0
> old_mmap(0x4017e000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x4000) = 0x4017e000
> old_mmap(0x4017f000, 157024, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4017f000
> close(3) = 0
> open("/usr/local/apache/lib/libnsl.so.1", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000<\0\000"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=74276, ...}) = 0
> old_mmap(NULL, 84864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x401a6000
> mprotect(0x401b8000, 11136, PROT_NONE) = 0
> old_mmap(0x401b8000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x11000) = 0x401b8000
> old_mmap(0x401b9000, 7040, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401b9000
> close(3) = 0
> open("/usr/local/apache/lib/libpthread.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0A\0\000"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=63468, ...}) = 0
> old_mmap(NULL, 331396, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x401bb000
> mprotect(0x401c9000, 274052, PROT_NONE) = 0
> old_mmap(0x401c9000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0xe000) = 0x401c9000
> old_mmap(0x401ca000, 269956, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401ca000
> close(3) = 0
> open("/usr/local/apache/lib/libdl.so.2", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\31\0\000"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=8868, ...}) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x4020c000
> old_mmap(NULL, 11516, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x4020d000
> mprotect(0x4020f000, 3324, PROT_NONE) = 0
> old_mmap(0x4020f000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x4020f000
> close(3) = 0
> open("/usr/local/apache/lib/libc.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Y\1"...,
> 1024) = 1024
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1250840, ...}) = 0
> old_mmap(NULL, 1237892, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0x40210000
> mprotect(0x40338000, 25476, PROT_NONE) = 0
> old_mmap(0x40338000, 16384, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x128000) = 0x40338000
> old_mmap(0x4033c000, 9092, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4033c000
> close(3) = 0
> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) =
> 0
> setrlimit(RLIMIT_STACK, {rlim_cur=2044*1024, rlim_max=RLIM_INFINITY}) =
> 0
> getpid() = 29152
> uname({sys="Linux", node="ABXLDap", ...}) = 0
> rt_sigaction(SIGRTMIN, {0x401c2ec0, [], SA_RESTORER, 0x40239078}, NULL,
> 8) = 0
> rt_sigaction(SIGRT_1, {0x401c2f10, [], SA_RESTORER, 0x40239078}, NULL,
> 8) = 0
> rt_sigaction(SIGRT_2, {0x401c2fe0, [], SA_RESTORER, 0x40239078}, NULL,
> 8) = 0
> rt_sigprocmask(SIG_BLOCK, [RTMIN], NULL, 8) = 0
> _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbffff42c, 31, (nil), 0}) = 0
> brk(0) = 0x80c2e08
> brk(0x80c3e08) = 0x80c3e08
> brk(0) = 0x80c3e08
> brk(0x80c4000) = 0x80c4000
> brk(0) = 0x80c4000
> brk(0x80c5000) = 0x80c5000
> brk(0) = 0x80c5000
> brk(0x80c7000) = 0x80c7000
> brk(0) = 0x80c7000
> brk(0x80c9000) = 0x80c9000
> brk(0) = 0x80c9000
> brk(0x80cb000) = 0x80cb000
> brk(0) = 0x80cb000
> brk(0x80cd000) = 0x80cd000
> brk(0) = 0x80cd000
> brk(0x80cf000) = 0x80cf000
> brk(0) = 0x80cf000
> brk(0x80d1000) = 0x80d1000
> brk(0) = 0x80d1000
> brk(0x80d3000) = 0x80d3000
> brk(0) = 0x80d3000
> brk(0x80d5000) = 0x80d5000
> brk(0) = 0x80d5000
> brk(0x80d7000) = 0x80d7000
> brk(0) = 0x80d7000
> brk(0x80d9000) = 0x80d9000
> brk(0) = 0x80d9000
> brk(0x80db000) = 0x80db000
> brk(0) = 0x80db000
> brk(0x80dd000) = 0x80dd000
> brk(0) = 0x80dd000
> brk(0x80df000) = 0x80df000
> brk(0) = 0x80df000
> brk(0x80e1000) = 0x80e1000
> brk(0) = 0x80e1000
> brk(0x80e3000) = 0x80e3000
> brk(0) = 0x80e3000
> brk(0x80e5000) = 0x80e5000
> brk(0) = 0x80e5000
> brk(0x80e7000) = 0x80e7000
> brk(0) = 0x80e7000
> brk(0x80e9000) = 0x80e9000
> brk(0) = 0x80e9000
> brk(0x80eb000) = 0x80eb000
> brk(0) = 0x80eb000
> brk(0x80ed000) = 0x80ed000
> brk(0) = 0x80ed000
> brk(0x80ef000) = 0x80ef000
> brk(0) = 0x80ef000
> brk(0x80f1000) = 0x80f1000
> brk(0) = 0x80f1000
> brk(0x80f3000) = 0x80f3000
> brk(0) = 0x80f3000
> brk(0x80f5000) = 0x80f5000
> brk(0) = 0x80f5000
> brk(0x80f7000) = 0x80f7000
> brk(0) = 0x80f7000
> brk(0x80f9000) = 0x80f9000
> brk(0) = 0x80f9000
> brk(0x80fb000) = 0x80fb000
> brk(0) = 0x80fb000
> brk(0x80fd000) = 0x80fd000
> brk(0) = 0x80fd000
> brk(0x80ff000) = 0x80ff000
> brk(0) = 0x80ff000
> brk(0x8101000) = 0x8101000
> brk(0) = 0x8101000
> brk(0x8103000) = 0x8103000
> brk(0) = 0x8103000
> brk(0x8105000) = 0x8105000
> brk(0) = 0x8105000
> brk(0x8107000) = 0x8107000
> brk(0) = 0x8107000
> brk(0x8109000) = 0x8109000
> brk(0) = 0x8109000
> brk(0x810a000) = 0x810a000
> brk(0) = 0x810a000
> brk(0x810b000) = 0x810b000
> brk(0) = 0x810b000
> brk(0x810d000) = 0x810d000
> lstat64("/usr/local/apache/conf/httpd.conf", {st_mode=S_IFREG|0644,
> st_size=26165, ...}) = 0
> open("/usr/local/apache/conf/httpd.conf", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=26165, ...}) = 0
> read(3, "### Section 1: Global Environmen"..., 4096) = 4096
> stat64("/usr/local/apache", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
> 0
> brk(0) = 0x810d000
> brk(0x8110000) = 0x8110000
> brk(0) = 0x8110000
> brk(0x8114000) = 0x8114000
> brk(0) = 0x8114000
> brk(0x8117000) = 0x8117000
> brk(0) = 0x8117000
> brk(0x811a000) = 0x811a000
> brk(0) = 0x811a000
> brk(0x811d000) = 0x811d000
> brk(0) = 0x811d000
> brk(0x8120000) = 0x8120000
> read(3, "winnt.c>\n\t<IfModule !mpm_netware"..., 4096) = 4096
> brk(0) = 0x8120000
> brk(0x8123000) = 0x8123000
> brk(0) = 0x8123000
> brk(0x8126000) = 0x8126000
> brk(0) = 0x8126000
> brk(0x8128000) = 0x8128000
> read(3, "access, agent, and referer infor"..., 4096) = 4096
> read(3, "ore\n# and not include in the lis"..., 4096) = 4096
> read(3, "so8859-6 .latin6 .arb\nAddCharse"..., 4096) = 4096
> brk(0) = 0x8128000
> brk(0x812a000) = 0x812a000
> read(3, " default include files will disp"..., 4096) = 4096
> read(3, "ache directive may go into a Vir"..., 4096) = 1589
> read(3, "", 4096) = 0
> close(3) = 0
> stat64("/usr/local/apache/bin/suexec", 0xbffff510) = -1 ENOENT (No
> such file or directory)
> socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address
> family not supported by protocol)
> socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
> socket(PF_FILE, SOCK_STREAM, 0) = 4
> connect(4, {sa_family=AF_FILE, path="/var/run/.nscd_socket"}, 110) =
> -1 ENOENT (No such file or directory)
> close(4) = 0
> open("/etc/nsswitch.conf", O_RDONLY) = 4
> fstat64(4, {st_mode=S_IFREG|0644, st_size=1083, ...}) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x4033f000
> read(4, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1083
> read(4, "", 4096) = 0
> close(4) = 0
> munmap(0x4033f000, 4096) = 0
> open("/usr/local/apache/lib/libnss_compat.so.2", O_RDONLY) = -1 ENOENT
> (No such file or directory)
> open("/etc/ld.so.cache", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/lib/i686/mmx/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> stat64("/lib/i686/mmx", 0xbfffecc0) = -1 ENOENT (No such file or
> directory)
> open("/lib/i686/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such
> file or directory)
> stat64("/lib/i686", 0xbfffecc0) = -1 ENOENT (No such file or
> directory)
> open("/lib/mmx/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such
> file or directory)
> stat64("/lib/mmx", 0xbfffecc0) = -1 ENOENT (No such file or
> directory)
> open("/lib/libnss_compat.so.2", O_RDONLY) = 4
> read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\26\0"...,
> 1024) = 1024
> fstat64(4, {st_mode=S_IFREG|0755, st_size=41912, ...}) = 0
> old_mmap(NULL, 45004, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
> 0x4033f000
> mprotect(0x40349000, 4044, PROT_NONE) = 0
> old_mmap(0x40349000, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 4, 0x9000) = 0x40349000
> close(4) = 0
> uname({sys="Linux", node="ABXLDap", ...}) = 0
> open("/etc/passwd", O_RDONLY) = 4
> fcntl64(4, F_GETFD) = 0
> fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
> fstat64(4, {st_mode=S_IFREG|0644, st_size=42, ...}) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x4034a000
> _llseek(4, 0, [0], SEEK_CUR) = 0
> read(4, "apache:x:1006:107::/home/apache:"..., 4096) = 42
> close(4) = 0
> munmap(0x4034a000, 4096) = 0
> brk(0) = 0x812a000
> brk(0x812b000) = 0x812b000
> socket(PF_FILE, SOCK_STREAM, 0) = 4
> connect(4, {sa_family=AF_FILE, path="/var/run/.nscd_socket"}, 110) =
> -1 ENOENT (No such file or directory)
> close(4) = 0
> open("/etc/group", O_RDONLY) = 4
> fcntl64(4, F_GETFD) = 0
> fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
> fstat64(4, {st_mode=S_IFREG|0644, st_size=14, ...}) = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0x4034a000
> _llseek(4, 0, [0], SEEK_CUR) = 0
> read(4, "apache:x:107:\n", 4096) = 14
> close(4) = 0
> munmap(0x4034a000, 4096) = 0
> brk(0) = 0x812b000
> brk(0x812d000) = 0x812d000
> brk(0) = 0x812d000
> brk(0x812f000) = 0x812f000
> brk(0) = 0x812f000
> brk(0x8131000) = 0x8131000
> brk(0) = 0x8131000
> brk(0x8133000) = 0x8133000
> stat64("/usr/local/apache/htdocs", {st_mode=S_IFDIR|0755,
> st_size=4096, ...}) = 0
> brk(0) = 0x8133000
> brk(0x8135000) = 0x8135000
> brk(0) = 0x8135000
> brk(0x8137000) = 0x8137000
> brk(0) = 0x8137000
> brk(0x8139000) = 0x8139000
> brk(0) = 0x8139000
> brk(0x813b000) = 0x813b000
> brk(0) = 0x813b000
> brk(0x813d000) = 0x813d000
> brk(0) = 0x813d000
> brk(0x813f000) = 0x813f000
> brk(0) = 0x813f000
> brk(0x8141000) = 0x8141000
> brk(0) = 0x8141000
> brk(0x8143000) = 0x8143000
> brk(0) = 0x8143000
> brk(0x8145000) = 0x8145000
> brk(0) = 0x8145000
> brk(0x8147000) = 0x8147000
> brk(0) = 0x8147000
> brk(0x8149000) = 0x8149000
> brk(0) = 0x8149000
> brk(0x814b000) = 0x814b000
> brk(0) = 0x814b000
> brk(0x814d000) = 0x814d000
> brk(0) = 0x814d000
> brk(0x814f000) = 0x814f000
> brk(0) = 0x814f000
> brk(0x8151000) = 0x8151000
> brk(0) = 0x8151000
> brk(0x8153000) = 0x8153000
> brk(0) = 0x8153000
> brk(0x8155000) = 0x8155000
> brk(0) = 0x8155000
> brk(0x8157000) = 0x8157000
> brk(0) = 0x8157000
> brk(0x8159000) = 0x8159000
> brk(0) = 0x8159000
> brk(0x815b000) = 0x815b000
> brk(0) = 0x815b000
> brk(0x815d000) = 0x815d000
> brk(0) = 0x815d000
> brk(0x815f000) = 0x815f000
> brk(0) = 0x815f000
> brk(0x8161000) = 0x8161000
> brk(0) = 0x8161000
> brk(0x8163000) = 0x8163000
> brk(0) = 0x8163000
> brk(0x8165000) = 0x8165000
> brk(0) = 0x8165000
> brk(0x8167000) = 0x8167000
> brk(0) = 0x8167000
> brk(0x8169000) = 0x8169000
> brk(0) = 0x8169000
> brk(0x816b000) = 0x816b000
> setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
> setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
> setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
> bind(3, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
> listen(3, 511) = 0
> pipe([4, 5]) = 0
> fcntl64(4, F_GETFL) = 0 (flags O_RDONLY)
> fcntl64(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
> open("/usr/local/apache/logs/error_log",
> O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 6
> dup2(6, 2) = 2
> open("/usr/local/apache/logs/access_log",
> O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0666) = 7
> brk(0) = 0x816b000
> brk(0x816d000) = 0x816d000
> open("/usr/local/apache/conf/mime.types", O_RDONLY) = 8
> fstat64(8, {st_mode=S_IFREG|0644, st_size=14993, ...}) = 0
> read(8, "# This is a comment. I love comm"..., 4096) = 4096
> read(8, "tion/vnd.fdf\napplication/vnd.ffs"..., 4096) = 4096
> brk(0) = 0x816d000
> brk(0x816f000) = 0x816f000
> read(8, "\napplication/vnd.pvi.ptid1\nappli"..., 4096) = 4096
> brk(0) = 0x816f000
> brk(0x8171000) = 0x8171000
> read(8, "mp\t\t\tbmp\nimage/cgm\t\t\tcgm\nimage/g"..., 4096) = 2705
> brk(0) = 0x8171000
> brk(0x8173000) = 0x8173000
> read(8, "", 4096) = 0
> close(8) = 0
> close(5) = 0
> close(4) = 0
> lstat64("/usr/local/apache/conf/httpd.conf", {st_mode=S_IFREG|0644,
> st_size=26165, ...}) = 0
> open("/usr/local/apache/conf/httpd.conf", O_RDONLY) = 4
> fstat64(4, {st_mode=S_IFREG|0644, st_size=26165, ...}) = 0
> read(4, "### Section 1: Global Environmen"..., 4096) = 4096
> stat64("/usr/local/apache", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =
> 0
> read(4, "winnt.c>\n\t<IfModule !mpm_netware"..., 4096) = 4096
> read(4, "access, agent, and referer infor"..., 4096) = 4096
> read(4, "ore\n# and not include in the lis"..., 4096) = 4096
> read(4, "so8859-6 .latin6 .arb\nAddCharse"..., 4096) = 4096
> read(4, " default include files will disp"..., 4096) = 4096
> read(4, "ache directive may go into a Vir"..., 4096) = 1589
> read(4, "", 4096) = 0
> close(4) = 0
> chdir("/") = 0
> fork() = 29153
> --- SIGCHLD (Child exited) @ 0 (0) ---
> exit_group(0) = ?
>
> Can anyone help me in chrooting my apache server.
>
> Best regards,
>
> Ultrix
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by Farid Izem <fa...@gmail.com>.
If your Apache version has vulnerabilities and if it'is chrooted,
unless jail is broke, the restricted file system of the jail will be
compromised
not the whole system.
It limits damages after you need to imporve security at level 7.
(Applications Layer).
Do not use modules that have security issues, prevent users from executing cgi,
Strong authentication, SSL, etc...
King Regards,
Farid
On Fri, 4 Mar 2005 11:10:33 +0200, John <is...@cc.uoi.gr> wrote:
> Well, fortunately the invader will not acess the system unless he breaks the
> chroot() function of the kernel.
>
>
> ----- Original Message -----
> From: "Ivan Barrera A." <Br...@Ivn.cl>
> To: <us...@httpd.apache.org>
> Sent: Thursday, March 03, 2005 2:31 PM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>
> > > I suppose you mean the actuall chroot and not mod_chroot or mod_security
> > > (???)
> > >
> > >
> > > Let me ask you something.
> > > If an apache version is vulnerable, anbd someone using a script or
> something
> > > manage to install a backdoor on the server (let say /tmp, that means
> > > /chroot/tmp)
> > > Could he install it and then open the port?
> >
> > They could.
> > But, if they log in (suppose a login backdoor) they'll see the chrooted
> env.
> > You must take more security measures to avoid that. I prefer having tmp
> > mounted as noexec. Obviously, that doesnt work if someone uploads a perl
> > script and then execute perl to launch it.. but every measure counts.
> >
> >
> > >
> > > Give me some more advantages on actuall chroot.
> > >
> > >
> > > Thanks in advance.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Farid Izem" <fa...@gmail.com>
> > > To: <us...@httpd.apache.org>
> > > Sent: Wednesday, March 02, 2005 7:45 PM
> > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >
> > >
> > >
> > >>Didn't look at the security issues as i trying to understand the
> > >>chroot mecanism
> > >>Not only for Apache but also for Squid and bind !
> > >>
> > >>I think this module can increase the security in the near future !
> > >>
> > >>Kind Regards,
> > >>
> > >>Farid.
> > >>
> > >>
> > >>On Wed, 2 Mar 2005 15:21:22 +0200, John <is...@cc.uoi.gr> wrote:
> > >>
> > >>>Ok, but if you look in the bugs history then you will find that
> > >
> > > mod_security
> > >
> > >>>has been suffering
> > >>>from various security problems.
> > >>>
> > >>>I have heard that it is a good module for chroot and other security
> > >>>hardening.
> > >>>
> > >>>
> > >>>----- Original Message -----
> > >>>From: "Farid Izem" <fa...@gmail.com>
> > >>>To: <us...@httpd.apache.org>
> > >>>Sent: Wednesday, March 02, 2005 10:33 AM
> > >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >>>
> > >>>
> > >>>>Yes, i said Mod_security not mod_chroot :
> > >>>>Take a look at :
> > >>>>
> > >>>
> > >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html
> > >>>
> > >>>>Best Regards,
> > >>>>
> > >>>>Farid.
> > >>>>
> > >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> > >>>>
> > >>>>>----- Original Message -----
> > >>>>>From: "Farid Izem" <fa...@gmail.com>
> > >>>>>To: <us...@httpd.apache.org>
> > >>>>>Sent: Tuesday, March 01, 2005 7:39 PM
> > >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >>>>>
> > >>>>>
> > >>>>>>Not yet thinking on !
> > >>>>>>I compiled my apache from the lastest source before chrooting it.
> > >>>>>>Maybe using a shell script using ldd command may be the first way
> > >
> > > to
> > >
> > >>>look
> > >>>
> > >>>>>at.
> > >>>>>
> > >>>>>>Using rpm httpd file and mod_security is the easiest solution to
> > >>>
> > >>>upgrade
> > >>>
> > >>>>>>Because mod_security provide a simple solution to chroot easily
> > >>>
> > >>>apache.
> > >>>
> > >>>>>>There are some limits to this mecanism but maybe i could be
> > >
> > > enought
> > >
> > >>>for
> > >>>
> > >>>>>you.
> > >>>>>
> > >>>>>>Any ideas on are welcome !
> > >>>>>>
> > >>>>>>Kind Regards,
> > >>>>>>
> > >>>>>>Farid
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>>mod_security or mod_chroot ?
> > >>>>>mod_chroot is mote focused on chrooting apache's process i think.
> > >>>>>
> > >>>>>What are the limitions you mentioned on this mechanism?
> > >>>>>
> > >>>>
> > >>---------------------------------------------------------------------
> > >>
> > >>>>>The official User-To-User support forum of the Apache HTTP Server
> > >>>
> > >>>Project.
> > >>>
> > >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>>>>For additional commands, e-mail: users-help@httpd.apache.org
> > >>>>>
> > >>>>>
> > >>>>
> > >>>>---------------------------------------------------------------------
> > >>>>The official User-To-User support forum of the Apache HTTP Server
> > >
> > > Project.
> > >
> > >>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>>>For additional commands, e-mail: users-help@httpd.apache.org
> > >>>
> > >>>---------------------------------------------------------------------
> > >>>The official User-To-User support forum of the Apache HTTP Server
> > >
> > > Project.
> > >
> > >>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>>For additional commands, e-mail: users-help@httpd.apache.org
> > >>>
> > >>>
> > >>
> > >>---------------------------------------------------------------------
> > >>The official User-To-User support forum of the Apache HTTP Server
> Project.
> > >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by Farid Izem <fa...@gmail.com>.
Use a reverse proxy behind your Chrooted WebServer to filter the content.
Best Regards,
Farid
On Fri, 4 Mar 2005 11:10:33 +0200, John <is...@cc.uoi.gr> wrote:
> Well, fortunately the invader will not acess the system unless he breaks the
> chroot() function of the kernel.
>
>
> ----- Original Message -----
> From: "Ivan Barrera A." <Br...@Ivn.cl>
> To: <us...@httpd.apache.org>
> Sent: Thursday, March 03, 2005 2:31 PM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>
> > > I suppose you mean the actuall chroot and not mod_chroot or mod_security
> > > (???)
> > >
> > >
> > > Let me ask you something.
> > > If an apache version is vulnerable, anbd someone using a script or
> something
> > > manage to install a backdoor on the server (let say /tmp, that means
> > > /chroot/tmp)
> > > Could he install it and then open the port?
> >
> > They could.
> > But, if they log in (suppose a login backdoor) they'll see the chrooted
> env.
> > You must take more security measures to avoid that. I prefer having tmp
> > mounted as noexec. Obviously, that doesnt work if someone uploads a perl
> > script and then execute perl to launch it.. but every measure counts.
> >
> >
> > >
> > > Give me some more advantages on actuall chroot.
> > >
> > >
> > > Thanks in advance.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Farid Izem" <fa...@gmail.com>
> > > To: <us...@httpd.apache.org>
> > > Sent: Wednesday, March 02, 2005 7:45 PM
> > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >
> > >
> > >
> > >>Didn't look at the security issues as i trying to understand the
> > >>chroot mecanism
> > >>Not only for Apache but also for Squid and bind !
> > >>
> > >>I think this module can increase the security in the near future !
> > >>
> > >>Kind Regards,
> > >>
> > >>Farid.
> > >>
> > >>
> > >>On Wed, 2 Mar 2005 15:21:22 +0200, John <is...@cc.uoi.gr> wrote:
> > >>
> > >>>Ok, but if you look in the bugs history then you will find that
> > >
> > > mod_security
> > >
> > >>>has been suffering
> > >>>from various security problems.
> > >>>
> > >>>I have heard that it is a good module for chroot and other security
> > >>>hardening.
> > >>>
> > >>>
> > >>>----- Original Message -----
> > >>>From: "Farid Izem" <fa...@gmail.com>
> > >>>To: <us...@httpd.apache.org>
> > >>>Sent: Wednesday, March 02, 2005 10:33 AM
> > >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >>>
> > >>>
> > >>>>Yes, i said Mod_security not mod_chroot :
> > >>>>Take a look at :
> > >>>>
> > >>>
> > >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html
> > >>>
> > >>>>Best Regards,
> > >>>>
> > >>>>Farid.
> > >>>>
> > >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> > >>>>
> > >>>>>----- Original Message -----
> > >>>>>From: "Farid Izem" <fa...@gmail.com>
> > >>>>>To: <us...@httpd.apache.org>
> > >>>>>Sent: Tuesday, March 01, 2005 7:39 PM
> > >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >>>>>
> > >>>>>
> > >>>>>>Not yet thinking on !
> > >>>>>>I compiled my apache from the lastest source before chrooting it.
> > >>>>>>Maybe using a shell script using ldd command may be the first way
> > >
> > > to
> > >
> > >>>look
> > >>>
> > >>>>>at.
> > >>>>>
> > >>>>>>Using rpm httpd file and mod_security is the easiest solution to
> > >>>
> > >>>upgrade
> > >>>
> > >>>>>>Because mod_security provide a simple solution to chroot easily
> > >>>
> > >>>apache.
> > >>>
> > >>>>>>There are some limits to this mecanism but maybe i could be
> > >
> > > enought
> > >
> > >>>for
> > >>>
> > >>>>>you.
> > >>>>>
> > >>>>>>Any ideas on are welcome !
> > >>>>>>
> > >>>>>>Kind Regards,
> > >>>>>>
> > >>>>>>Farid
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>>mod_security or mod_chroot ?
> > >>>>>mod_chroot is mote focused on chrooting apache's process i think.
> > >>>>>
> > >>>>>What are the limitions you mentioned on this mechanism?
> > >>>>>
> > >>>>
> > >>---------------------------------------------------------------------
> > >>
> > >>>>>The official User-To-User support forum of the Apache HTTP Server
> > >>>
> > >>>Project.
> > >>>
> > >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>>>>For additional commands, e-mail: users-help@httpd.apache.org
> > >>>>>
> > >>>>>
> > >>>>
> > >>>>---------------------------------------------------------------------
> > >>>>The official User-To-User support forum of the Apache HTTP Server
> > >
> > > Project.
> > >
> > >>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>>>For additional commands, e-mail: users-help@httpd.apache.org
> > >>>
> > >>>---------------------------------------------------------------------
> > >>>The official User-To-User support forum of the Apache HTTP Server
> > >
> > > Project.
> > >
> > >>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>>For additional commands, e-mail: users-help@httpd.apache.org
> > >>>
> > >>>
> > >>
> > >>---------------------------------------------------------------------
> > >>The official User-To-User support forum of the Apache HTTP Server
> Project.
> > >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by John <is...@cc.uoi.gr>.
Well, fortunately the invader will not acess the system unless he breaks the
chroot() function of the kernel.
----- Original Message -----
From: "Ivan Barrera A." <Br...@Ivn.cl>
To: <us...@httpd.apache.org>
Sent: Thursday, March 03, 2005 2:31 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > I suppose you mean the actuall chroot and not mod_chroot or mod_security
> > (???)
> >
> >
> > Let me ask you something.
> > If an apache version is vulnerable, anbd someone using a script or
something
> > manage to install a backdoor on the server (let say /tmp, that means
> > /chroot/tmp)
> > Could he install it and then open the port?
>
> They could.
> But, if they log in (suppose a login backdoor) they'll see the chrooted
env.
> You must take more security measures to avoid that. I prefer having tmp
> mounted as noexec. Obviously, that doesnt work if someone uploads a perl
> script and then execute perl to launch it.. but every measure counts.
>
>
> >
> > Give me some more advantages on actuall chroot.
> >
> >
> > Thanks in advance.
> >
> >
> > ----- Original Message -----
> > From: "Farid Izem" <fa...@gmail.com>
> > To: <us...@httpd.apache.org>
> > Sent: Wednesday, March 02, 2005 7:45 PM
> > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >
> >
> >
> >>Didn't look at the security issues as i trying to understand the
> >>chroot mecanism
> >>Not only for Apache but also for Squid and bind !
> >>
> >>I think this module can increase the security in the near future !
> >>
> >>Kind Regards,
> >>
> >>Farid.
> >>
> >>
> >>On Wed, 2 Mar 2005 15:21:22 +0200, John <is...@cc.uoi.gr> wrote:
> >>
> >>>Ok, but if you look in the bugs history then you will find that
> >
> > mod_security
> >
> >>>has been suffering
> >>>from various security problems.
> >>>
> >>>I have heard that it is a good module for chroot and other security
> >>>hardening.
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "Farid Izem" <fa...@gmail.com>
> >>>To: <us...@httpd.apache.org>
> >>>Sent: Wednesday, March 02, 2005 10:33 AM
> >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >>>
> >>>
> >>>>Yes, i said Mod_security not mod_chroot :
> >>>>Take a look at :
> >>>>
> >>>
> >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html
> >>>
> >>>>Best Regards,
> >>>>
> >>>>Farid.
> >>>>
> >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> >>>>
> >>>>>----- Original Message -----
> >>>>>From: "Farid Izem" <fa...@gmail.com>
> >>>>>To: <us...@httpd.apache.org>
> >>>>>Sent: Tuesday, March 01, 2005 7:39 PM
> >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >>>>>
> >>>>>
> >>>>>>Not yet thinking on !
> >>>>>>I compiled my apache from the lastest source before chrooting it.
> >>>>>>Maybe using a shell script using ldd command may be the first way
> >
> > to
> >
> >>>look
> >>>
> >>>>>at.
> >>>>>
> >>>>>>Using rpm httpd file and mod_security is the easiest solution to
> >>>
> >>>upgrade
> >>>
> >>>>>>Because mod_security provide a simple solution to chroot easily
> >>>
> >>>apache.
> >>>
> >>>>>>There are some limits to this mecanism but maybe i could be
> >
> > enought
> >
> >>>for
> >>>
> >>>>>you.
> >>>>>
> >>>>>>Any ideas on are welcome !
> >>>>>>
> >>>>>>Kind Regards,
> >>>>>>
> >>>>>>Farid
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>mod_security or mod_chroot ?
> >>>>>mod_chroot is mote focused on chrooting apache's process i think.
> >>>>>
> >>>>>What are the limitions you mentioned on this mechanism?
> >>>>>
> >>>>
> >>---------------------------------------------------------------------
> >>
> >>>>>The official User-To-User support forum of the Apache HTTP Server
> >>>
> >>>Project.
> >>>
> >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>>>>For additional commands, e-mail: users-help@httpd.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>>---------------------------------------------------------------------
> >>>>The official User-To-User support forum of the Apache HTTP Server
> >
> > Project.
> >
> >>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>>>For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>---------------------------------------------------------------------
> >>>The official User-To-User support forum of the Apache HTTP Server
> >
> > Project.
> >
> >>>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>>For additional commands, e-mail: users-help@httpd.apache.org
> >>>
> >>>
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server
Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
> I suppose you mean the actuall chroot and not mod_chroot or mod_security
> (???)
>
>
> Let me ask you something.
> If an apache version is vulnerable, anbd someone using a script or something
> manage to install a backdoor on the server (let say /tmp, that means
> /chroot/tmp)
> Could he install it and then open the port?
They could.
But, if they log in (suppose a login backdoor) they'll see the chrooted env.
You must take more security measures to avoid that. I prefer having tmp
mounted as noexec. Obviously, that doesnt work if someone uploads a perl
script and then execute perl to launch it.. but every measure counts.
>
> Give me some more advantages on actuall chroot.
>
>
> Thanks in advance.
>
>
> ----- Original Message -----
> From: "Farid Izem" <fa...@gmail.com>
> To: <us...@httpd.apache.org>
> Sent: Wednesday, March 02, 2005 7:45 PM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>
>
>
>>Didn't look at the security issues as i trying to understand the
>>chroot mecanism
>>Not only for Apache but also for Squid and bind !
>>
>>I think this module can increase the security in the near future !
>>
>>Kind Regards,
>>
>>Farid.
>>
>>
>>On Wed, 2 Mar 2005 15:21:22 +0200, John <is...@cc.uoi.gr> wrote:
>>
>>>Ok, but if you look in the bugs history then you will find that
>
> mod_security
>
>>>has been suffering
>>>from various security problems.
>>>
>>>I have heard that it is a good module for chroot and other security
>>>hardening.
>>>
>>>
>>>----- Original Message -----
>>>From: "Farid Izem" <fa...@gmail.com>
>>>To: <us...@httpd.apache.org>
>>>Sent: Wednesday, March 02, 2005 10:33 AM
>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>>>
>>>
>>>>Yes, i said Mod_security not mod_chroot :
>>>>Take a look at :
>>>>
>>>
>>>http://www.modsecurity.org/documentation/apache-internal-chroot.html
>>>
>>>>Best Regards,
>>>>
>>>>Farid.
>>>>
>>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
>>>>
>>>>>----- Original Message -----
>>>>>From: "Farid Izem" <fa...@gmail.com>
>>>>>To: <us...@httpd.apache.org>
>>>>>Sent: Tuesday, March 01, 2005 7:39 PM
>>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>>>>>
>>>>>
>>>>>>Not yet thinking on !
>>>>>>I compiled my apache from the lastest source before chrooting it.
>>>>>>Maybe using a shell script using ldd command may be the first way
>
> to
>
>>>look
>>>
>>>>>at.
>>>>>
>>>>>>Using rpm httpd file and mod_security is the easiest solution to
>>>
>>>upgrade
>>>
>>>>>>Because mod_security provide a simple solution to chroot easily
>>>
>>>apache.
>>>
>>>>>>There are some limits to this mecanism but maybe i could be
>
> enought
>
>>>for
>>>
>>>>>you.
>>>>>
>>>>>>Any ideas on are welcome !
>>>>>>
>>>>>>Kind Regards,
>>>>>>
>>>>>>Farid
>>>>>>
>>>>>>
>>>>>
>>>>>mod_security or mod_chroot ?
>>>>>mod_chroot is mote focused on chrooting apache's process i think.
>>>>>
>>>>>What are the limitions you mentioned on this mechanism?
>>>>>
>>>>
>>---------------------------------------------------------------------
>>
>>>>>The official User-To-User support forum of the Apache HTTP Server
>>>
>>>Project.
>>>
>>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>The official User-To-User support forum of the Apache HTTP Server
>
> Project.
>
>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>
> Project.
>
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by John <is...@cc.uoi.gr>.
I suppose you mean the actuall chroot and not mod_chroot or mod_security
(???)
Let me ask you something.
If an apache version is vulnerable, anbd someone using a script or something
manage to install a backdoor on the server (let say /tmp, that means
/chroot/tmp)
Could he install it and then open the port?
Give me some more advantages on actuall chroot.
Thanks in advance.
----- Original Message -----
From: "Farid Izem" <fa...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, March 02, 2005 7:45 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> Didn't look at the security issues as i trying to understand the
> chroot mecanism
> Not only for Apache but also for Squid and bind !
>
> I think this module can increase the security in the near future !
>
> Kind Regards,
>
> Farid.
>
>
> On Wed, 2 Mar 2005 15:21:22 +0200, John <is...@cc.uoi.gr> wrote:
> > Ok, but if you look in the bugs history then you will find that
mod_security
> > has been suffering
> > from various security problems.
> >
> > I have heard that it is a good module for chroot and other security
> > hardening.
> >
> >
> > ----- Original Message -----
> > From: "Farid Izem" <fa...@gmail.com>
> > To: <us...@httpd.apache.org>
> > Sent: Wednesday, March 02, 2005 10:33 AM
> > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >
> > > Yes, i said Mod_security not mod_chroot :
> > > Take a look at :
> > >
> > http://www.modsecurity.org/documentation/apache-internal-chroot.html
> > >
> > > Best Regards,
> > >
> > > Farid.
> > >
> > > On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> > > > ----- Original Message -----
> > > > From: "Farid Izem" <fa...@gmail.com>
> > > > To: <us...@httpd.apache.org>
> > > > Sent: Tuesday, March 01, 2005 7:39 PM
> > > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > > >
> > > > > Not yet thinking on !
> > > > > I compiled my apache from the lastest source before chrooting it.
> > > > > Maybe using a shell script using ldd command may be the first way
to
> > look
> > > > at.
> > > > > Using rpm httpd file and mod_security is the easiest solution to
> > upgrade
> > > > > Because mod_security provide a simple solution to chroot easily
> > apache.
> > > > > There are some limits to this mecanism but maybe i could be
enought
> > for
> > > > you.
> > > > >
> > > > > Any ideas on are welcome !
> > > > >
> > > > > Kind Regards,
> > > > >
> > > > > Farid
> > > > >
> > > > >
> > > >
> > > > mod_security or mod_chroot ?
> > > > mod_chroot is mote focused on chrooting apache's process i think.
> > > >
> > > > What are the limitions you mentioned on this mechanism?
> > > >
> > >
> ---------------------------------------------------------------------
> > > > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > > For additional commands, e-mail: users-help@httpd.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by Farid Izem <fa...@gmail.com>.
Didn't look at the security issues as i trying to understand the
chroot mecanism
Not only for Apache but also for Squid and bind !
I think this module can increase the security in the near future !
Kind Regards,
Farid.
On Wed, 2 Mar 2005 15:21:22 +0200, John <is...@cc.uoi.gr> wrote:
> Ok, but if you look in the bugs history then you will find that mod_security
> has been suffering
> from various security problems.
>
> I have heard that it is a good module for chroot and other security
> hardening.
>
>
> ----- Original Message -----
> From: "Farid Izem" <fa...@gmail.com>
> To: <us...@httpd.apache.org>
> Sent: Wednesday, March 02, 2005 10:33 AM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>
> > Yes, i said Mod_security not mod_chroot :
> > Take a look at :
> >
> http://www.modsecurity.org/documentation/apache-internal-chroot.html
> >
> > Best Regards,
> >
> > Farid.
> >
> > On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> > > ----- Original Message -----
> > > From: "Farid Izem" <fa...@gmail.com>
> > > To: <us...@httpd.apache.org>
> > > Sent: Tuesday, March 01, 2005 7:39 PM
> > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> > >
> > > > Not yet thinking on !
> > > > I compiled my apache from the lastest source before chrooting it.
> > > > Maybe using a shell script using ldd command may be the first way to
> look
> > > at.
> > > > Using rpm httpd file and mod_security is the easiest solution to
> upgrade
> > > > Because mod_security provide a simple solution to chroot easily
> apache.
> > > > There are some limits to this mecanism but maybe i could be enought
> for
> > > you.
> > > >
> > > > Any ideas on are welcome !
> > > >
> > > > Kind Regards,
> > > >
> > > > Farid
> > > >
> > > >
> > >
> > > mod_security or mod_chroot ?
> > > mod_chroot is mote focused on chrooting apache's process i think.
> > >
> > > What are the limitions you mentioned on this mechanism?
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by John <is...@cc.uoi.gr>.
Ok, but if you look in the bugs history then you will find that mod_security
has been suffering
from various security problems.
I have heard that it is a good module for chroot and other security
hardening.
----- Original Message -----
From: "Farid Izem" <fa...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, March 02, 2005 10:33 AM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> Yes, i said Mod_security not mod_chroot :
> Take a look at :
>
http://www.modsecurity.org/documentation/apache-internal-chroot.html
>
> Best Regards,
>
> Farid.
>
> On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> > ----- Original Message -----
> > From: "Farid Izem" <fa...@gmail.com>
> > To: <us...@httpd.apache.org>
> > Sent: Tuesday, March 01, 2005 7:39 PM
> > Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> >
> > > Not yet thinking on !
> > > I compiled my apache from the lastest source before chrooting it.
> > > Maybe using a shell script using ldd command may be the first way to
look
> > at.
> > > Using rpm httpd file and mod_security is the easiest solution to
upgrade
> > > Because mod_security provide a simple solution to chroot easily
apache.
> > > There are some limits to this mecanism but maybe i could be enought
for
> > you.
> > >
> > > Any ideas on are welcome !
> > >
> > > Kind Regards,
> > >
> > > Farid
> > >
> > >
> >
> > mod_security or mod_chroot ?
> > mod_chroot is mote focused on chrooting apache's process i think.
> >
> > What are the limitions you mentioned on this mechanism?
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by Farid Izem <fa...@gmail.com>.
Yes, i said Mod_security not mod_chroot :
Take a look at :
http://www.modsecurity.org/documentation/apache-internal-chroot.html
Best Regards,
Farid.
On Tue, 1 Mar 2005 20:53:39 +0200, John <is...@cc.uoi.gr> wrote:
> ----- Original Message -----
> From: "Farid Izem" <fa...@gmail.com>
> To: <us...@httpd.apache.org>
> Sent: Tuesday, March 01, 2005 7:39 PM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>
> > Not yet thinking on !
> > I compiled my apache from the lastest source before chrooting it.
> > Maybe using a shell script using ldd command may be the first way to look
> at.
> > Using rpm httpd file and mod_security is the easiest solution to upgrade
> > Because mod_security provide a simple solution to chroot easily apache.
> > There are some limits to this mecanism but maybe i could be enought for
> you.
> >
> > Any ideas on are welcome !
> >
> > Kind Regards,
> >
> > Farid
> >
> >
>
> mod_security or mod_chroot ?
> mod_chroot is mote focused on chrooting apache's process i think.
>
> What are the limitions you mentioned on this mechanism?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by John <is...@cc.uoi.gr>.
----- Original Message -----
From: "Farid Izem" <fa...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Tuesday, March 01, 2005 7:39 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> Not yet thinking on !
> I compiled my apache from the lastest source before chrooting it.
> Maybe using a shell script using ldd command may be the first way to look
at.
> Using rpm httpd file and mod_security is the easiest solution to upgrade
> Because mod_security provide a simple solution to chroot easily apache.
> There are some limits to this mecanism but maybe i could be enought for
you.
>
> Any ideas on are welcome !
>
> Kind Regards,
>
> Farid
>
>
mod_security or mod_chroot ?
mod_chroot is mote focused on chrooting apache's process i think.
What are the limitions you mentioned on this mechanism?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by Farid Izem <fa...@gmail.com>.
Not yet thinking on !
I compiled my apache from the lastest source before chrooting it.
Maybe using a shell script using ldd command may be the first way to look at.
Using rpm httpd file and mod_security is the easiest solution to upgrade
Because mod_security provide a simple solution to chroot easily apache.
There are some limits to this mecanism but maybe i could be enought for you.
Any ideas on are welcome !
Kind Regards,
Farid
On Tue, 1 Mar 2005 15:09:42 +0200, John <is...@cc.uoi.gr> wrote:
>
> ----- Original Message -----
> From: "Farid Izem" <fa...@gmail.com>
> To: "John N. Brahy" <jb...@ad2.com>
> Cc: <us...@httpd.apache.org>
> Sent: Tuesday, March 01, 2005 2:47 PM
> Subject: Re: [users@httpd] Problem Starting Apache Chrooted
>
> > Hi, i already solve the problem using google.
> > In fact, i just have to do this :
> > mknod /var/jail/dev/null c 1 3
> > chmod 666 /var/jail/dev/null
> >
> > Everything works well now.
> >
> > Kind Regards,
> >
> > Farid
> >
> >
> How do you cope with the http patching or updating ?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem Starting Apache Chrooted
Posted by John <is...@cc.uoi.gr>.
----- Original Message -----
From: "Farid Izem" <fa...@gmail.com>
To: "John N. Brahy" <jb...@ad2.com>
Cc: <us...@httpd.apache.org>
Sent: Tuesday, March 01, 2005 2:47 PM
Subject: Re: [users@httpd] Problem Starting Apache Chrooted
> Hi, i already solve the problem using google.
> In fact, i just have to do this :
> mknod /var/jail/dev/null c 1 3
> chmod 666 /var/jail/dev/null
>
> Everything works well now.
>
> Kind Regards,
>
> Farid
>
>
How do you cope with the http patching or updating ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org