[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: httpd changes

To: misc_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
Subject: Re: httpd changes
From: Chuck Yerkes <chuck+obsd_(_at_)_snew_(_dot_)_com>
Date: Sat, 13 Jul 2002 22:42:47 -0700

Quoting Theo de Raadt (deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org):
> httpd by default now chroot's into /var/www.

Good! Hurray!

> This causes all sorts of fancy features to break.  Fancy features which
> we believe to be quite unsafe.

Agreed.  Been running web services chroot since Cern's server
came out.  Never got out of the habit cause it avoided a lot
of exploits.  The biggest pain is whether or not I need perl
"visible" for cgi.  Too often, yes.  But I often would
just compile it into /usr/local/perl and have the non chrooted
one use a sym link to the chroot area.

I go further than I'd expect most to do and chroot it to /www 
which is readonly with an htdoc's mounted under it noexec,nodev.

Changes to cgi-bin/ take some effort.  That's good.

References:
- httpd changes
  - From: Theo de Raadt

Prev by Date: gdb core dumps under 3.1
Next by Date: cont. musings on critical upgrade notification
Previous by thread: httpd changes
Next by thread: Re: httpd changes
Index(es):
- Date
- Thread

Visit your host, monkey.org