[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: httpd changes
- To: misc_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
- Subject: Re: httpd changes
- From: Chuck Yerkes <chuck+obsd_(_at_)_snew_(_dot_)_com>
- Date: Sat, 13 Jul 2002 22:42:47 -0700
Quoting Theo de Raadt (deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org):
> httpd by default now chroot's into /var/www.
> This causes all sorts of fancy features to break. Fancy features which
> we believe to be quite unsafe.
Agreed. Been running web services chroot since Cern's server
came out. Never got out of the habit cause it avoided a lot
of exploits. The biggest pain is whether or not I need perl
"visible" for cgi. Too often, yes. But I often would
just compile it into /usr/local/perl and have the non chrooted
one use a sym link to the chroot area.
I go further than I'd expect most to do and chroot it to /www
which is readonly with an htdoc's mounted under it noexec,nodev.
Changes to cgi-bin/ take some effort. That's good.