OT:chroot on a webserver? and hlfs roadmap. Security beginner's question.

Mike Hernandez sequethin at gmail.com
Sun Oct 10 14:03:58 PDT 2004


On Sun, 10 Oct 2004 23:56:40 +0300, Jan Mattila <jan.mattila at helsinki.fi> wrote:
> Quoting "R.Welz" <linuxprodukte at gmx.de>:
> 
> > Besides, does somebody know the answer to my chroot questions?
> > It would save some time if I knew which service works with
> > chroot and which not.
> >
> >>- chroot Apache2,
> >>- same with OpenSSH, sftp,
> >>- what about PHP and Perl?
> >>- e-mail server ( I'm not quite shure which one yet, since I
> >>  never set up an email server before, probably sendmail)
> >>- Bind9
> 
> Apache2 with PHP and MySQL work in a chroot jail. Artur Maj
> has written an article series about securing them. You can
> find them at:
> 
> http://www.securityfocus.com/infocus/1786 (Apache2)
> http://www.securityfocus.com/infocus/1726 (MySQL)
> http://www.securityfocus.com/infocus/1706 (PHP)
> 
> I haven't tried the jailing rest, but anything should work
> inside a jail as long as all the needed files exist inside
> that jail.
> 
> I think the question is more in how to get them to work in
> the jail. For this you might have to dig into some tedious
> ldd, strace, other tracing of linked files and you name it.

For making chroot jails you might want to try out jailkit. Its a set
of python scripts that allows you to make jails just by editing a
config file and running the scripts. It takes some work to tailor the
default to something lfs compatible, but it's well worth the effort if
you make jails a lot. It's even more useful for creating jail-shell
accounts.

Mike

P.S. jailkit it at: http://olivier.sessink.nl/jailkit/



More information about the hlfs-dev mailing list