Tuesday, January 22, 2013

Apache in chrooted jail on Amazon

There is a great artical about creating chroot environments with yum on prefetch.net, and a relevant example on Doug Bunger's Blog.

The jist is that you want to change the root file system of a server process (say apache httpd) so that when it is hacked, the process can't see and therefore can't comprimise the server at large. But a critical trade-off is ease of updates. The most important thing you can do for security is to keep your software up to date so that you aren't vulnerable to well-known exploits. Therefore switching your install location to support a chrooted jail must not break easy updates via a tool like yum.

The solution is to install your server software and all its dependancies inside a jail via the existing ability of rpm and yum to allow you to install packages to an alternate root directory. Unfortunately, this isn't as simple as it sounds. Basically you will specify something like /opt/jail/ as the new root via yum option --installroot= meaning that yum understands not only that httpd should be rooted there but that yum itself and all its configurations and all other packages should also be rooted there.

But after a thorough reading of the above articles, I decided to give up. Doug shows that updates are a pain, and in my case, I'm already running a bare bones server, so I'd end up basically putting everything in the jail and thereby protecting nothing.

{ "loggedin": false, "owner": false, "avatar": "", "render": "nothing", "trackingID": "UA-36983794-1", "description": "", "page": { "blogIds": [ 393 ] }, "domain": "holtstrom.com", "base": "\/michael", "url": "https:\/\/holtstrom.com\/michael\/", "frameworkFiles": "https:\/\/holtstrom.com\/michael\/_framework\/_files.4\/", "commonFiles": "https:\/\/holtstrom.com\/michael\/_common\/_files.3\/", "mediaFiles": "https:\/\/holtstrom.com\/michael\/media\/_files.3\/", "tmdbUrl": "http:\/\/www.themoviedb.org\/", "tmdbPoster": "http:\/\/image.tmdb.org\/t\/p\/w342" }