hi all,
sorry to enter so later in the discution...
i'm ok with you torsten (+1), i think is the good place to do it, think
adding hook like pre_childinit that occure before unixd_setup_child
remove the root rigth (in child_init you lost the root right juste
before) can be more generic way.
If there's a chance to add it, I'm ready to write the doc patch
Nick
Dirk-Willem van Gulik wrote:
On May 6, 2008, at 3:27 PM, Nick Gearls wrote:
Just a little adding: by adding LoadFile libgcc_s.so.1 in
httpd.conf, I don't have any more file in the chroot (except htdocs
if not in pure
On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
If there's a chance to add it, I'm ready to write the doc patch
Lets get that in there - and then lets (or I'll) backport it - so it
goes into the next release.
Dirk-Willem van Gulik wrote:
On May 6, 2008, at 3:27 PM, Nick Gearls wrote:
-Ursprüngliche Nachricht-
Von: Dirk-Willem van Gulik
Gesendet: Dienstag, 6. Mai 2008 16:20
An: dev@httpd.apache.org
Betreff: Re: High security
On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
If there's a chance to add it, I'm ready to write the doc patch
Lets get
-Ursprüngliche Nachricht-
Von: Dirk-Willem van Gulik
Gesendet: Dienstag, 6. Mai 2008 17:00
An: dev@httpd.apache.org
Betreff: Re: High security
On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
If there's a chance to add it, I'm ready to write the doc patch
I did below
On May 6, 2008, at 5:03 PM, Plüm, Rüdiger, VF-Group wrote:
-Ursprüngliche Nachricht-
Von: Dirk-Willem van Gulik
Gesendet: Dienstag, 6. Mai 2008 17:00
An: dev@httpd.apache.org
Betreff: Re: High security
On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
If there's a chance to add
Can you tell me where to find the XML doc file ?
It's not obvious from the site :-(
Thanks,
Nick
Dirk-Willem van Gulik wrote:
On May 6, 2008, at 4:12 PM, Nick Gearls wrote:
If there's a chance to add it, I'm ready to write the doc patch
Lets get that in there - and then lets (or I'll)
On May 6, 2008, at 8:10 AM, Nick Gearls wrote:
Can you tell me where to find the XML doc file ?
It's not obvious from the site :-(
Check out the httpd trunk:
svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd
and the XML file we're talking about will be
I'm running the patch for one week on a production server, and it works
perfectly (http://svn.apache.org/viewvc?view=revrevision=611483).
When using Apache as a reverse proxy, the chroot environment is totally
empty (except libgcc_s.so.1).
Could we include this in next build ?
As it is very
On Jan 25, 2008 1:30 PM, Nick Kew [EMAIL PROTECTED] wrote:
...
A
compromise might be to create a chroot hook and allow module
developers to use it. This would shift the support burden somewhat
from the core Apache team to those willing to engage the users
providing support.
Isn't
I don't think this should be a discussion of whether chroot is worth
using as a security measure. IMHO it should be about allowing Apache
users to make a choice whether they will use chroot in this way or
not. I am usually an advocate for user choice. For example, I am well
aware of the various
On Fri 25 Jan 2008, Nick Kew wrote:
A
compromise might be to create a chroot hook and allow module
developers to use it. This would shift the support burden somewhat
from the core Apache team to those willing to engage the users
providing support.
Isn't that basically the status quo
On Fri, 25 Jan 2008 11:31:32 +
Ivan Ristic [EMAIL PROTECTED] wrote:
I don't think this should be a discussion of whether chroot is worth
using as a security measure. IMHO it should be about allowing Apache
users to make a choice whether they will use chroot in this way or
not.
+1.
For
Hello,
As some may now, ModSecurity adds a very easy and effective way to put
Apache in jail, but chrooting the process after its initialisation, thus
putting all listening processes in jail.
You specify one directive, and the only thing you have to put in the
jail is your htdocs and logs
On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
You specify one directive, and the only thing you have to put in the
jail is your htdocs and logs directories; all other files (conf,
modules, httpd, libraries, etc.) are outside of the jail. This is really
top security - it's
-Original Message-
From: Colm MacCarthaigh [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 24. Januar 2008 13:16
To: dev@httpd.apache.org
Subject: Re: High security
On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
You specify one directive, and the only thing you have
Message-
From: Colm MacCarthaigh [mailto:[EMAIL PROTECTED]
Sent: Donnerstag, 24. Januar 2008 13:16
To: dev@httpd.apache.org
Subject: Re: High security
On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
You specify one directive, and the only thing you have to
put in the
jail is your
On 01/24/2008 04:55 PM, Nick Gearls wrote:
Yes, chroot could potentially be escaped.
Although, if you chroot the main process, then you spawn child processes
under another userid, like in standard Apache config under Unix, I
expect it to be really very difficult to escape if
1. you are
18 matches
Mail list logo