[1946] in WWW Security List Archive
RE: chroot-ed httpd
daemon@ATHENA.MIT.EDU (Philippe Gresse)
Wed May 1 09:03:32 1996
From: Philippe Gresse <pgresse@ifhamy.insa-lyon.fr>
To: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>,
"'Jerry Busser'" <jerryb@howpubs.com>
Date: Wed, 1 May 1996 12:45:45 +0200
Errors-To: owner-www-security@ns2.rutgers.edu
The NCSA server had a bug that allowed people to execute commands =
remotely.
Since the 1.5a release, this bug has been fixed.
But perhaps there are some others... Then a "chroot" is a good =
precaution...
Philippe
----------
From: Jerry Busser
Sent: lundi 29 avril 1996 19:48
To: www-security@ns2.rutgers.edu
Subject: chroot-ed httpd
All --
I'm running NCSA's HTTP daemon, and one of the security measures that =
they mention but neither support nor especially endorse is running httpd =
in a chroot-ed environment. My question to everyone is: Is it worth it? =
To date we do not run our httpd chroot-ed, but I am going to overhaul =
our Web server in the near future and I'm wondering whether I should =
consider restructuring the filesystem to make it more hospitable for the =
chroot-ed daemon.
What are everyone's thoughts about this?=20
Jerry
