Implementation

• Inetd entry calls chroot for every HTTP query

• Chroot jails apache web server

• Server runs non-root, has write access only to logs and tmp directory

• Therefore, compromised server can only serve bad pages to the attacker

• Chroot doesn’t limit everything, or course

  • Net access
  • Swap, disk, CPU exhaustion

Previous slide

Next slide

Back to first slide

View graphic version