On 2012-08-21, David Diggles <da...@elven.com.au> wrote: > On Mon, Aug 20, 2012 at 12:42:16PM -0700, Byron Klippert wrote: >> The web interfaces interact with the system through CGI scripts, httpd >> is run chroot disabled (httpd_flags="-u"). > > Just one comment for now. You can run it as chroot if you copy any > dependancies into the chroot, including binaries, libraries.
> ...and be sure to update them if patches come out. depends what's needed, but it's often not really a security win to copy enough of the OS into the chroot jail so that scripts can run, especially if it means it's unlikely to be kept updated. OTOH if the only need for non-chroot is to access PF tables, and the scripts are in a language which can easily run inside chroot (e.g. perl with mod_perl), see the 'tabled' package.
