github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update ModSecurity chroot documentation.

Browse Source
This commit is contained in:
ivanr 2007-10-01 22:38:19 +00:00
parent da1399f0b8
commit a6cf7957be
1 changed files with 32 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
doc/modsecurity2-apache-reference.xml
View File

@ -855,17 +855,38 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Dependencies/Notes:</emphasis> The internal <para><emphasis role="bold">Dependencies/Notes:</emphasis> The internal
chroot functionality provided by ModSecurity works great for simple chroot functionality provided by ModSecurity works great for simple
setups. One example of a simple setup is Apache serving static files setups. One example of a simple setup is Apache serving static files
only, or running scripts using modules. For more complex setups you only, or running scripts using modules. Some problems you might
should consider building a jail the old-fashioned way. The internal encounter with more complex setups:</para>
chroot feature should be treated as somewhat experimental. Due to the
large number of default and third-party modules available for the Apache <orderedlist>
web server, it is not possible to verify the internal chroot works <listitem>
reliably with all of them. You are advised to think about your option <para>DNS lookups do not work (this is because this feature requires
and make your own decision. In particular, if you are using any of the a shared library that is loaded on demand, after chroot takes
modules that fork in the module initialisation phase (e.g. mod_fastcgi, place).</para>
mod_fcgid, mod_cgid), you are advised to examine each Apache process and </listitem>
observe its current working directory, process root, and the list of
open files.</para> <listitem>
<para>You cannot send email from PHP because it uses sendmail and
sendmail is outside the jail.</para>
</listitem>
<listitem>
<para>In some cases Apache graceful no longer works.</para>
</listitem>
</orderedlist>
<para>You should be aware that the internal chroot feature might not be
100% reliable. Due to the large number of default and third-party
modules available for the Apache web server, it is not possible to
verify the internal chroot works reliably with all of them. A module,
working from within Apache, can do things that make it easy to break out
of the jail. In particular, if you are using any of the modules that
fork in the module initialisation phase (e.g.
<literal>mod_fastcgi</literal>, <literal>mod_fcgid</literal>,
<literal>mod_cgid</literal>), you are advised to examine each Apache
process and observe its current working directory, process root, and the
list of open files. Consider what your options are and make your own
decision.</para>
</section> </section>
<section> <section>