On Fri, 25 Jan 2008 11:31:32 +0000 "Ivan Ristic" <[EMAIL PROTECTED]> wrote:
> I don't think this should be a discussion of whether chroot is worth > using as a security measure. IMHO it should be about allowing Apache > users to make a choice whether they will use chroot in this way or > not. +1. > For the record, I have regretted including the chroot feature in > ModSecurity many times over. Not because of the feature itself (which > -- I still think -- is very useful when the circumstances are right) > but because of the support I was required to provide on the mailing > list over the years. To troubleshoot chroot issues requires a very > good understanding of how things work and takes a lot of time. Subtle > problems may arise with modules that are not expecting to be cut-off > from the filesystem half-way through, or with modules that fork at > startup. Thanks for the insight! Chroot problems are indeed a support issue (though still a fairly infrequent one) in apache's own support fora. I guess you've relieved us of some part (maybe most) of that burden. > With this in mind, I have always felt the reluctance of the > Apache developers to include support for chroot has more to do with > these support issues rather than with any technical reasons. Still more likely: lack of round tuits. Builtin support could still happen. In fact I recently committed a patch to /trunk/. > A > compromise might be to create a chroot hook and allow module > developers to use it. This would shift the support burden somewhat > from the core Apache team to those willing to engage the users > providing support. Isn't that basically the status quo (mod_security presumably hooks it in at post_config?) > Personally, I don't really have a need for the internal chroot feature > ever since I discovered the makejail utility (part of Debian, and > maybe other systems), which worked really well for me. On the other > hand, I am interested in getting Apache to drop certain capabilities > (where supported) at startup. I plan to look into it eventually. Can we expect your contributions to the apache core code in the not-too-distant? -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/