000020800 - Using chroot command with an Apache server protected by RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000020800
Applies ToRSA ClearTrust Agent 3.5 for Apache
IssueUsing chroot command with an Apache server protected by RSA ClearTrust
ResolutionIt is common practice (but not universal) to run Apache web servers in what may be referred to as a "chroot'ed" environment. This is where before execution of the command to start the web server (or any other process), the chroot command is used to put the user/process into an environment where a named directory appears to be the root of the entire file system, for example:

# ls /export/home
file1 file2 file3
# chroot /export/home sh
# cd /
# ls
file1 file2 file3

For a more technical description about chroot, see your operating system documentation.

There is a significant amount of work to be done to allow applications to exist in this environment. In fact, the above example would fail because you must copy /usr/bin/sh into /export/home/usr/bin/sh before you could run the command. A common end result is that you might have to copy more than 100 operating system files to allow something as complex as a web server to run. The impact is that any users who connect to the web server - regardless of all the hacking they employ - will never be able to damage anything outside of the chrooted system.

NOTE: RSA Security has not been involved in testing RSA ClearTrust code in this environment, so it is currently not possible to advise about its effects. As a general policy (due to no specific standard being in effect), RSA Security is not able to assist customers running applications in these sorts of environments. For more information, see the solution regarding RSA Security Products and system hardening.
Legacy Article IDa18942