Skip to main content
IBM  
Shop Support Downloads
IBM Home Products Consulting Industries News About IBM
IBM developerWorks : Security : Education - Tutorials
Securing your Web server		ZIPPDF (letter)PDF (A4)e-mail
Main menuSection menuFeedbackNext
4. Jailing your Web users
  


Creating a Chroot environment page 1 of 13


Any discussion of Web server security would be incomplete without at least a brief foray into the topic of creating a chroot environment for your Web server. And while chrooting a Web server installation is one of the most secure and complete solutions to serving Web pages, it is also one of the most complex to implement because all the various directories and components that make up a functioning Web server environment must be fully isolated from the main filesystem. For this reason, I strongly suggest that you fully test a chroot installation on a development system before moving it to a production role.

The concept behind creating a chroot environment is simple: correctly implemented, a chroot environment prevents users from gaining access to the main "root" filesystem on a server (hence the name, you change what the user sees as the root filesystem). Note that creating a chroot environment is not just applicable to securing a Web server. You can chroot almost any program, including the user's default login shell. For details on creating a multipurpose chroot environment, complete with scripts that copy the appropriate libraries and program files to the chroot tree, check out the Jail Chroot Project written and supported by Juan Casillas (see Further resources).

Pros and cons of a chroot installation are as follows:

  • If your Web server is ever compromised, the attacker cannot gain access to the main filesystem; they are restricted to the chroot jail directory tree.
  • A poorly written CGI script that could potentially allow a user access to the main filesystem will simply fail.
  • Any negative consequences resulting from an improperly configured server are limited to the chroot environment.
  • You must copy any extra libraries or modules your Web server installation requires to the chroot tree.
  • Any external programs or languages your Web server installation requires must also reside in the chroot tree. This includes monitoring utilities, languages such as Perl or PHP, the SSL libraries, and all required components (binaries, libraries, configuration files, etc.) for any programs the Web service requires (for example, LDAP, mySQL, PostgreSQL, or FrontPage extensions).

Note: This section assumes the program /usr/sbin/chroot is installed on your system. If it is not, install it before proceeding with the examples shown.


Main menuSection menuFeedbackNext
Privacy Legal Contact