Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Chrooting Apache, MySQL and BIND
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
[ToXiC]
n00b
n00b


Joined: 29 Jul 2003
Posts: 46
Location: Fresno, CA
PostPosted: Fri Sep 26, 2003 6:19 am    Post subject: Chrooting Apache, MySQL and BIND Reply with quote
I plan on chrooting the most current versions of Apache, MySQL and BIND. I want to be able to use all and encounter no issues with communication between any of them. What is the best way to do this? I have read all tldp.org information on this and would like some public input or experience.
-[ToXiC]
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
PostPosted: Fri Sep 26, 2003 5:43 pm    Post subject: Re: Chrooting Apache, MySQL and BIND Reply with quote
[ToXiC] wrote:
I plan on chrooting the most current versions of Apache, MySQL and BIND.
What's the reason for this? Just curious...
[ToXiC] wrote:
I want to be able to use all and encounter no issues with communication between any of them.
Well, since the above applications only communicate over TCP/IP (with the exception of MySQL, using named pipes by default, but which can be used over TCP), you shouldn't have any problems. But remember that both Apache and BIND neet priviledged ports (80, 53), so they have to be started as root either way.
[ToXiC] wrote:
What is the best way to do this?
I would use djbdns and not worry about chrooting ;-)

Anyway, as a heads-up: if you're looking at moving these services into chroot jails, you probably won't be able to use Portage to manage them.

[ToXiC] wrote:
I have read all tldp.org information on this and would like some public input or experience.
Personally, I would look at the requirements again. See, chroot jails are good in theory -- keeping services isolated so that compromising one does not mean compromising the others -- but it deteriorates in practice. First, a lot of programs aren't run as root (mysqld), and the ones that are drop root privs immediately after acquiring their sockets (Apache, BIND). Thus, if any of those services are compromised, standard UNIX permissions means they haven't taken over your machine. They will only be able to act on behalf of their respective users, which usually can't do anything... unless there's a kernel-level exploit that allows priviledge elevation, in which case a chroot jail usually doesn't help you very much anyway.

So, let's assume someone gains access to Apache. They can read all files that can be read as Apache, which includes (for instance) configuration files for your web-based data-driven application. (After all, the application runs within Apache, so it must be able to read its own config.) Bam! The attacker just stole your database password, and can obtain and/or destroy important, confidential information -- accessing MySQL, even though it was Apache that was compromised. Will a chroot jail help this situation? No.

IMO, the benefits for chroot jails are minimal. They do exist, but in most cases are trivial enough not to matter. Further, the cost associated with chrooting all of your services is high: extra maintenance, figuring out what libraries to copy over, and extreme testing your nonstandard configuration costs time, and time is expensive.

So, think about it. ;-)
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
puke
Tux's lil' helper
Tux's lil' helper


Joined: 05 Oct 2002
Posts: 128
PostPosted: Thu Nov 06, 2003 9:07 pm    Post subject: Reply with quote
I agree delta407! However, if you still wish to continue down the path of chrooting apache web server, there is a wealth of info on the interweb. You could start here.
Back to top
View user's profile Send private message
loseruser
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 110
Location: Seattle,WA
PostPosted: Thu Jul 01, 2004 1:47 pm    Post subject: Re: Chrooting Apache, MySQL and BIND Reply with quote
[ToXiC] wrote:
I plan on chrooting the most current versions of Apache, MySQL and BIND. I want to be able to use all and encounter no issues with communication between any of them. What is the best way to do this? I have read all tldp.org information on this and would like some public input or experience.
-[ToXiC]


I was curious what you ended up doing with the Apache & MySQL stuff. I already run my dhcp & dns servers in chroot jails (it was easy as USE="chroot" emerge bind dhcp). I've thought about putting them in jails before, I just didn't know if it came out of portage that way and I don't want to have to do it m'self if I don't have to.
Back to top
View user's profile Send private message
febs
n00b
n00b


Joined: 18 Jan 2004
Posts: 43
PostPosted: Fri Sep 03, 2004 7:11 pm    Post subject: Reply with quote
When I do a
emerge -pv bind
the "chroot" USE flag does not show up in the list.

It is no more there for some reason, or it just does not shows up for some other?
TY
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy