3

I have been advised by a sysadmin guy I know, to run Apache in a chroot jail, for increased security.

I have the following questions:

  1. Is this advisable (i.e. are there any 'gotcha's that I need to be aware of) ?
  2. Does running Apache in a chroot jail affect its ability issues like performance and scalability?

He also advised that I run my databases (mySQL and PostgreSQL), in separate chroot jails.

Is this something that is often done in production systems

[Edit]

Forgot to say, Server is running on Ubuntu 8.04 LTS

user35402
  • 1,171
  • 3
  • 10
  • 18
  • You mention jails: are you on one of the *BSD's? If not, and you're on Linux, SELinux in enforcing mode will probably take care of all your security problems quite well. – wzzrd Jun 03 '10 at 10:41

2 Answers2

5

Chrooting is a good security measure, it limits the possibilities to compromise the system in case of a successfull exploit but there are also ways in some case to evade from a chroot, so it is not a definitive way to protect the system.

I'm not aware of any disavantage regarding performance and scalability. Concerning database access, it is generaly done with a link to the socket inside the chroot this way you don't have to open any networking port for database connectivity.

EDIT: below is a sample for mysql access taken from an OpenBSD rc.local (OpenBSD chrooted httpd)

if [ X"${mysql_server_flags-NO}" != X"NO" -a -x /usr/local/bin/mysqld_safe ]; then
        rm -R /var/www/var/run/mysql
        mkdir -p /var/www/var/run/mysql
        chown _mysql:_mysql   /var/www/var/run/mysql
        echo -n 'MySQL server: '; /usr/local/bin/mysqld_safe --user=_mysql ${mysql_server_flags} &
        sleep 10
        ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi

Hope this helps.

Maxwell
  • 5,076
  • 1
  • 26
  • 31
  • +1 for good, straight answer. could you please elaborate some more (i.e. explain) what you mean by 'link to the socket inside the chroot'. can you provide an example? – user35402 Jun 03 '10 at 08:39
  • Edited my answer. – Maxwell Jun 03 '10 at 08:58
  • I heartily second the notion of running all DMZ apps in chroot jails. However, the DB backend is typically not in the DMZ, but on an internal network. – mpez0 Jun 03 '10 at 11:09
-2

I have two programs, one of them is apache httpd, communicating each other via unix domain socket. I have switched them to run under chroot, and then %10 performance loss. It depends on the running applications I think. I did not hear any performance loss for Apache under chroot before, so It looks like my second app is lost performance under chroot.

WhoCares
  • 31
  • 3