url: http://core.segfault.pl/~hobbit/mod_chroot/

It would be very nice to also have a method to make a chroot per virtualhost, but I understand that's not possible right now.

At least with that module (mod_chroot) it's very easy to make a jail for apache.

ASL actually can do this now. (For all of apache, not individual vhosts)

Just add this to your modsecurity config:

SecChrootDir /chroot/directory/for/apache

And your apache will be chrooted.

When I looked at this, the issue was that script paths would change (starting at the root of the chroot path).

So if you set it to /var/www/vhosts, all the scripts with paths set to /var/www/vhosts/domain.com (etc) will break because the /var/www/vhosts part would have been effectively lopped off.

I assume this is why it isn't set by default in ASL?

Faris.

Oh yeah, and also because a lot of things expect to be able to use /tmp /var/tmp /foo, etc. like PHP for instance.

Or the perl/python/ruby/etc packages that use /usr/share or /usr/lib/perl. Probably not as big of a deal for the php only sites though. Theyd just lose access to pear and /tmp

Essentially what you are saying is stick to suphp (or php-via-FastCGI in Plesk 9)

Faris.

Probably the most hassle free implementation Ive seen so far is open_basedir in php. I realize obviously that there are hassles with it :p Point being everything else out there is even more work.

The other caveat here is that without a kernel level enforcement (grsec does this) on the chroot() function, its actually not a lot of work to get around what mod_chroot or mod_security would do to enforce it.

You'd definitely get utility out of it if you were doing cgi type hosting though. So I don't think its a bad thing. It would certainly let you constrain perl better than you can on a normal plesk box, much like you can with php's open_basedir.