Did anybody think about using apache + suexec with a chrooted version of suexec? [suexec chroot'ing every cgi into its own DocumentRoot for every virtual host]
I think if we've got running that kind of thing, it will be a GREAT STUFF!
Pablo.
MicCo Wrote:Hi pcarboni,
Yes, and it's a very good thing, we are using it on another project that I'm also involved in, and it's a lift in securety.
Ok, there are several patches over internet. (apache 1.3.x and 2.0.x)
Are you using any of those patches? Maybe a customized patch?
Maybe we must write an own patch?
Pablo.
I'm sure Quix0r have his head in the right direction and some thing on his mind for that.
We're already working on fastcgi & suexec support.
let's see, what we can add here in terms of chroot
Jupp, chroot is not yet implemented.
chroot is need yes
i'm trying once to make it' but do not get success
will try again
look to mod_chroot for apache
Hi,
any news about virtualhost chroot?
Regards
The developers here are on the ball. They are attacking all the right security risks and I believe chrooted suexec is an important step
Yes it is - but solutions to that are not as easy as it seems (for cgi).
We're investigating sbox and a few other scripts laying around.
But all have a huge overhead - so we're looking for something smart and portable (we don't want to include more secondary binary code than necessary) In fact we even have nothing platform depend included (except our daemon).
The problem is not to keep the chroot for the cgi small on start - it's more a problem of the users who want to execute perl or so - they then need to download big binary packages into their webspace ... (because they can't access anything outside)
If anyone got a smart solution for this you're more than welcome !