Using OpenBSD's chrooted Apache 101
BSD Forums writes "OpenBSD recently changed the mode of operation for the Apache webserver from the normal non-chrooted operation to chrooted operation. This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator.
In this article Marc Balmer discusses selected aspects of running a chrooted HTTP daemon and present strategies on how to set up a chrooted environment for more complex applications like database access or using CGI-scripts."
slashdotted (Score:1, Insightful)
Security v. ease of use (Score:3, Insightful)
Just my
Re:Hey - you guys broke my httpd.conf file! (Score:2, Insightful)
the relativtly scarce number of IP addresses left
roll on ipv6
Why BSD? (Score:2, Insightful)
Yes, it is their loss -- but generally applicable topics that just happen to be demonstrated on a BSD really should not be tagged 'BSD' in the Slashdot topic heading IMHO. They should be tagged according to the topic (Say, Apache, in this case).
Does anyone have a bittorrent of the pdf? (Score:3, Insightful)
Re:*BSD is dying (Score:1, Insightful)
Let's put it this way, BSD will not die as long as MacOS X exists. Plus note, it's not about the market share if you can grok the source code!
-uso.
BSD r0x0r!
(Yeah, I know, I'm -1 Offtopic.)
Re:Security v. ease of use (Score:2, Insightful)
OpenBSD does not cater to "Joe User" nor does it claim to. You are correct, Joe User should be using something that gives more direction and simplifies their experience such as RedHat.
-Rusty
It's nice but.... (Score:2, Insightful)
Why? No fault of OpenBSD, really. Simply that in order to do anything really interesting, I had to disable the chroot of httpd. Take perl scripts, for example: If a CGI script is supposed to be interpreted by
As another example, PHP's mail() function [which is fairly important, I feel] relies on the presence of sendmail. Sendmail then, must be accessible from the chroot directory in order to work.
Someone above has commented that you can mount
Ultimately, the paper does describe ways around this, basically preloading any shared library your Apache modules might need and populating the chroot jail with any binaries you want for CGI and their shared libraries. This mirroring however requires a good deal of maintenance and waste of space (following OpenBSD partitioning recommendations,
The situation will get better, though, and they'll find a simple elegant maintenance system, as OpenBSD always has. Some things have to change: For example