[1952] in WWW Security List Archive
Re: chroot-ed httpd
daemon@ATHENA.MIT.EDU (Beth Frank)
Wed May 1 20:01:46 1996
From: efrank@ncsa.uiuc.edu (Beth Frank)
To: jerryb@howpubs.com (Jerry Busser)
Date: Wed, 1 May 1996 16:15:40 -0500 (CDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199604291748.MAA04845@muns149.munster> from "Jerry Busser" at Apr 29, 96 12:48:48 pm
Errors-To: owner-www-security@ns2.rutgers.edu
>
> All --
>
> I'm running NCSA's HTTP daemon, and one of the security measures
that they mention but neither support nor especially endorse is
running httpd in a chroot-ed environment. My question to everyone
is: Is it worth it? To date we do not run our httpd chroot-ed, but
I am going to overhaul our Web server in the near future and I'm
wondering whether I should consider restructuring the filesystem
to make it more hospitable for the chroot-ed daemon.
>
> What are everyone's thoughts about this?
>
> Jerry
>
We don't endorse chroot-ing a server because we don't feel the
security gain is worth the hassle of setting it up. You can
chroot a server using the chroot command when the server is started.
I also have an archive copy of a patch applied to an older vesion
of the server chroot the server once started. It is of dubious value
since the server has changed greatly since then, but I'll forward
it to anyone who requests it. I will also forward to the list an
old posting from someone at CERN on how to chroot a web server.
The main problem is getting all the tools, utilities and libraries
moved so they are under the new chroot. At one point, I assigned
an experienced student to set up a chroot server, when after 3 days
he still didn't have the server working properly, we decided it
wasn't worth the work involved.
Our security expert says:
> Whether it is worth the effort or not depends on the system you're using
> for a web server. If it is a "public" machine with tons of users and
> it runs lotsa CGI scripts, it might be a good safeguard. I'd plan on
> spending a day or two getting everything it needs into its new home
> (this is particularly tricky if it runs CGI scripts -- it's hard to
> tell in advance what all the needed dynamic libraries will be). However,
> if your machine is more of a dedicated server, with few other users,
> it's probably not worth the effort.
--
Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu
