Jail Those Daemons

Okay, to do this right, you’re going to need a Catholic priest, some holy water, a dash of incense…

Yeah, I’m kidding. While it’s sometimes helpful for a sysadmin in a busy environment to have the above on hand, it’s not required to put system daemons in a chroot jail.

Using chroot – “change root” – is a good way to help further lock down a system connected to the Internet. Chroot forces a daemon such as named (part of the BIND DNS server) or httpd (Apache) to stay within a confined portion of the file system. For example, if you create the directory /var/www and chroot Apache, as far as the Apache system is concerned, /var/www is actually / (root).

The benefit, as explained in the article, is if an attacker were to compromise Apache, the chroot jail mitigates the damage that can be done to the rest of your system. While the various binaries accessible/required by Apache may be trojaned or otherwise compromised, the main system binaries are safely located in their usual place. You can wipe /var/www and start from scratch with Apache without sweating the rest of your data.