Hi Igor. chroot, like Fred said, add another security layer in your environment, protecting the OS from the Web Server. I mean, if web server have be compromised, the person will have access just to the web server.
chroot is a good option to secure your webserver, but maybe it's not easily to build. An another option to add a good security layer, protecting the OS from the web server, is using SELinux. With SELinux is possible to protect the OS from the web server in a way similar like chroot. Bye. On Tue, Jun 16, 2009 at 4:11 AM, Igor Cicimov <icici...@gmail.com> wrote: > Running apache in chroot adds another layer of security. You can chroot the > apache server and copy over all the libraries you need and only the programs > you need like /bin/sh lets say to start/stop the server. In that way any > security issue or intruder will end up in "jail" and have limited programs > to run. Also what ever damage he/she might cause will be in the chroot > enviroment, which you can esally recover, and not in your real root. > > We run all our company production servers in chroot. > > Cheers, > > Igor > > > On Mon, Jun 15, 2009 at 6:40 PM, Fred Zinsli <fred.zin...@shooter.co.nz>wrote: > >> Hello everyone >> >> I can't seem to get my head around this chrooted and non-chrooted apache >> server thing at all. >> >> What are the pros & cons, advantages or dissadvantages of chrooted over >> non-chrooted apache servers. >> >> In a nutshell, is a preferable to run apache chrooted on a production >> server or not? >> >> Curently my public server is not chrooted but I am planning a major >> upgrade and I thought this would be a good opertunity to change my apache >> configuration at the same time if it was warranted. >> >> The server is currently configured for name based virtual hosts. >> >> Any comments would be most appreciated. >> >> Regards >> >> Fred >> >> >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> " from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> > -- Best Regards Carlos Eduardo Maiolino - CyberS0nic Fedora Project - Brazilian Ambassador / Bug Tracker http://www.fedoraproject.org http://www.projetofedora.org ------------------------- Contacts IRC: CyberS0nic AT irc.freenode.net ICQ: 142852055 msn: cyberson...@gmail.com gtalk: cybersonic0
