I propose to add the following:
In the usage:
All config files, logs, etc. are used by the main process and should
thus not be stored in the chroot. Only files used by children listeners
must be present in the chroot.
<note><title>Content of the chroot</title>
<p>The following files must be present in the chroot:</p>
<ul><li>/lib/libgcc_s.so.1 (Linux)</li>
<li>if bind (DNS) is used: /etc/resolv.conf &
/lib/libnss_dns.so.2 (Linux)</li>
<li>if a hosts file is used: /etc/hosts</li>
<li>if both a hosts file and bind (DNS) are used:
/etc/hosts.conf</li>
<li>HTML files (htdocs/ files)</li>
<li>Temporary files used by modules (ex: ModSecurity temp
files)</li>
<li>When using additional modules, other files may be needed</li>
</ul>
<p><b>Remark:</b> shared object can also be loaded explicitely
in httpd.conf, instead of copying them into the chroot.
When using Apache as a reverse proxy, the chroot could thus
potentially
be totally empty.</p>
</note>
Regards,
Nick
Dirk-Willem van Gulik wrote:
On May 6, 2008, at 5:03 PM, Plüm, Rüdiger, VF-Group wrote:
-----Ursprüngliche Nachricht-----
Von: Dirk-Willem van Gulik
Gesendet: Dienstag, 6. Mai 2008 17:00
An: [email protected]
Betreff: Re: High security
On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
If there's a chance to add it, I'm ready to write the doc patch
I did below a while ago. May be useful as a start.
There is already a documentation in trunk for this:
http://svn.apache.org/viewvc?view=rev&revision=639005
Aye - I edited on top of that version.
Dw.
