[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: httpd changes

Quoting Theo de Raadt (deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org):
> httpd by default now chroot's into /var/www.

Good! Hurray!

> This causes all sorts of fancy features to break.  Fancy features which
> we believe to be quite unsafe.

Agreed.  Been running web services chroot since Cern's server
came out.  Never got out of the habit cause it avoided a lot
of exploits.  The biggest pain is whether or not I need perl
"visible" for cgi.  Too often, yes.  But I often would
just compile it into /usr/local/perl and have the non chrooted
one use a sym link to the chroot area.

I go further than I'd expect most to do and chroot it to /www 
which is readonly with an htdoc's mounted under it noexec,nodev.

Changes to cgi-bin/ take some effort.  That's good.