[ocicat]

Quote:

Originally Posted by gpatrick

...but is there an example somewhere of how to use chroot and systrace to make it that way for a specific domain.

The modified version of Apache 1.3 available in OpenBSD can be run from within a chroot(8):

http://openbsd.org/faq/faq10.html#httpdchroot

As for tightening down what syscalls are allowed, both Lucas (author of Absolute OpenBSD) and Palmer & Nazario (authors of Securing Architectures with OpenBSD) cover this in the following sets of articles:

• http://onlamp.com/pub/a/bsd/2003/01/...y_Daemons.html
  http://onlamp.com/pub/a/bsd/2003/02/...y_Daemons.html
• http://www.informit.com/articles/article.aspx?p=363731

Both sets of authors discuss iteratively constraining what syscalls are allowed by pouring over the output from:

# systrace -A /usr/sbin/inetd

The basic question you are asking is how can Apache be made to talk to multiple chroot(8)'s. While I suspect the answer will be quite tedious in looking through systrace -A output (which is error-prone & requires constant maintenance...), I would be remiss if I didn't mention three important points:

• systrace(1) has been cracked:
  
  http://undeadly.org/cgi?action=artic...20070809201304
  
• systrace(1) has lost favor with the OpenBSD developers:
  
  http://marc.info/?l=openbsd-misc&m=124767408201308&w=2
  
• The independent repository for systrace(1) policies (the Hairy Eyeball Project) is defunct.

This should indicate that acceptance/interest in systrace(1) has waned. Even the information from Lucas and Palmer & Nazario is dated (circa 2003-2004). You need to think twice before committing your business to rely on a technology that is no longer regarded as being secure.

Quote:

I understand how chroot works, but I am using Perl and MySQL for my sites and it is a little work to get that in chroot.

As I understand, Perl code can be written to jump out of a chroot(8). This further supports the developers' sentiment that systrace(1) creates a false sense of security.