11

I have read extremely mixed opinions on the process of chrooting for a web server (non-shared environment). Some people swear by it, yet others say that it isn't as secure as everyone says.

Given that chrooting can be difficult and time consuming to implement and maintain, on a non-shared server do you Chroot? Why/Why not?

If you do, do you use a module such as mod_security?

If you don't, do you do anything else to the server that accomplishes the same goal?

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
freb
  • 1,401
  • 8
  • 14

1 Answers1

8

I disagree with the idea that chroot is difficult - it just isn't appropriate for everything. For a small environment, with a server hosting more than one web environment, chroot is exceedingly powerful and provides controls around separation, and escalation prevention. Managing it is not a huge resource problem.

If you have an enterprise scale environment you may be less likely to use chroot (as it does become unwieldy in a large environment), but you are likely to have alternative controls which may include in depth monitoring, IDS/IPS , layered firewalls and SIEM.

I would class mod_security as an essential (for the webservers that have it or equivalent functionality) - it is an extra layer of defence which is simple to implement, and for most use cases it doesn't cause significant impact.

chroot and mod_security - as well as firewalls etc are all just layers of security which may help to prevent an attack or at least slow it, thus raising the likelihood you will spot it before it causes too much damage (assuming you are also monitoring...another control)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • The difficulty I am referring to is needing to place apache and all of the additional dependencies into the jail. Doesn't this break the ability to use a package manager to update that portion of your installation? – freb Jan 22 '11 at 01:06
  • 2
    @freb, it does, once you make a custom chroot jail, you absolutely have to maintain it yourself, unless the chrooted setup is the default. – Marcin Jan 22 '11 at 15:00
  • 1
    Another question i've always had is, if I have a website on a private server and the only thing i care about is the security of the website itself with the associated database informaiton, what security does chroot offer? If someone gains access to apache in the chroot, won't they have access to everything i care about anyway? – freb Jan 22 '11 at 19:38
  • 4
    @freb - the question to ask yourself is what else is on that server? Is there an /etc/passwd file? Is there other data? Is there a trust relationship with another machine on the network? Privilege escalation is a good way of getting access to other valuables. – Rory Alsop Jan 23 '11 at 01:09
  • Thank you all for helping me get to the bottom of this. Very informative. – freb Jan 23 '11 at 06:09