Hitchhiker's Guide to Openbsd
- Tell me about this chroot(2) Apache?
Download 1.27 Mb. Pdf ko'rish
|
obsd-faq49
- Bu sahifa navigatsiya:
- What does this mean to the administrator
- Historic file system layouts
|
10.16 - Tell me about this chroot(2) Apache?
In OpenBSD, the Apache httpd(8) server has been chroot(2) ed by default. While this is a tremendous boost to security, it can create issues, if you are not prepared. What is a chroot? A chroot(2) ed application is locked into a particular directory and unable to wander around the rest of the directory tree, and sees that directory as its " / " (root) directory. In the case of httpd(8), the program starts, opens its log files, binds to its TCP ports (though, it doesn't accept data yet), and reads its configuration. Next, it locks itself into /var/www and drops privileges, then starts to accept requests. This means all files served and used by Apache must be in the /var/www directory. In the default configuration of OpenBSD, all the files in the /var/www directory are read-only by the user Apache runs as, www. This helps security tremendously -- should there be a security issue with Apache, the damage will be confined to a single directory with only "read only" permissions and no resources to cause mischief with. http://www.openbsd.org/faq/faq10.html (21 of 32)9/4/2011 10:02:15 AM 10 - System Management What does this mean to the administrator? Put bluntly, chroot(2)ing Apache is something not done by default in most other operating systems. Many applications and system configurations will not work in a chroot(2) without some customization. Further, it must be remembered that security and convenience are often not compatible goals. OpenBSD's implementation of Apache does not compromise security for features or "ease". ● Historic file system layouts: Servers upgraded from older versions of OpenBSD may have web files located in user's directories, which clearly won't work in a chroot(2)ed environment, as httpd (8) can't reach the /home directory. Administrators may also discover their existing /var/www partition is too small to hold all web files. Your options are to restructure or do not use the chroot (2) feature. You can, of course, use symbolic links in the user's home directories pointing to subdirectories in /var/www, but you can NOT use links in /var/www pointing to other parts of the file system -- that is prevented from working by the chroot(2)ing. Note that if you want your users to have chroot(2)ed FTP access , this will not work, as the FTP chroot will (again) prevent you from accessing the targets of the symbolic links. A solution to this is to not use /home as your home directories for these users, rather use something similar to /var/www/users. Symbolic links can be used completely within the chroot(2), but they have to be relative, not absolute. ● Download 1.27 Mb. Do'stlaringiz bilan baham: 
|