[1963] in WWW Security List Archive
Re: chroot-ed httpd
daemon@ATHENA.MIT.EDU (Rolf Weber)
Thu May 2 17:16:43 1996
From: Rolf Weber <weber@iez.com>
To: efrank@ncsa.uiuc.edu (Beth Frank)
Date: Thu, 2 May 1996 21:01:52 +0200 (MESZ)
Cc: www-security@ns2.rutgers.edu (www-security)
In-Reply-To: <9605012115.AA07579@void.ncsa.uiuc.edu> from "Beth Frank" at May 1, 96 04:15:40 pm
Errors-To: owner-www-security@ns2.rutgers.edu
>
> We don't endorse chroot-ing a server because we don't feel the
> security gain is worth the hassle of setting it up.
>
chroot() is one of the greatest security benefits of UNIX.
it's *really* worth to do it!
and it's really *not* very hard to do it!
>
> The main problem is getting all the tools, utilities and libraries
> moved so they are under the new chroot. At one point, I assigned
> an experienced student to set up a chroot server, when after 3 days
> he still didn't have the server working properly, we decided it
> wasn't worth the work involved.
>
a student did write our html pages (with CGI scripts, of course) while
the server didn't run chroot'd.
i made the server run chroot and he even didn't noticed it :-)
>
> Our security expert says:
>
> > Whether it is worth the effort or not depends on the system you're using
> > for a web server. If it is a "public" machine with tons of users and
> > it runs lotsa CGI scripts, it might be a good safeguard. I'd plan on
> > spending a day or two getting everything it needs into its new home
> > (this is particularly tricky if it runs CGI scripts -- it's hard to
> > tell in advance what all the needed dynamic libraries will be). However,
> > if your machine is more of a dedicated server, with few other users,
> > it's probably not worth the effort.
>
no, i disagree.
the dedicated server, reachable from the whole world, needs this security
measure.
but this may depend what you fear more. malicious internal users or
attacks from outside.
rolf
ps: even when i disagree with this security topics, i really appreciate
your work. thanx!
--
-----------------------------------------
Rolf Weber <weber@iez.com> | All I ask is a chance
IEZ AG D-64625 Bensheim | to prove that money
++49-6251-1309-113 | can't make me happy.
