On 01/24/2008 04:55 PM, Nick Gearls wrote: > Yes, chroot could potentially be escaped. > Although, if you chroot the main process, then you spawn child processes > under another userid, like in standard Apache config under Unix, I > expect it to be really very difficult to escape if > 1. you are not root > 2. if the only files available are log files and htdocs files (even no > HTML files in case of a reverse proxy > Obviously, we could imagine a vulnerability (like a buffer overrun) in > the child Apache process that would send a signal to the main process to > use a second vulnerability, but I really find that chrooting Apache > provides a very good defense.
It is some kind of defense, but as stated chroot is not really a security tool (see also http://it.slashdot.org/article.pl?sid=07/09/27/2256235). Nevertheless, back to your problem. I think there is no gain at all doing a chroot in the httpd main process which keeps running as root. So IMHO mod_security is doing the chroot too early by doing it in the post config hook. I admit that I do not see any other hook at the moment to do this. But there is a patch in trunk that does chroot only for the child processes, just before the userid is switched. I haven't tested this so far, but this should work with graceful restarts. Plus: You do not need to keep your logs in the chroot jail as the logfiles are opened by the main process. Patch: http://svn.apache.org/viewvc?view=rev&revision=611483 PR: http://issues.apache.org/bugzilla/show_bug.cgi?id=43596 Regards Rüdiger
