I have been advised by a sysadmin guy I know, to run Apache in a chroot jail, for increased security.
I have the following questions:
- Is this advisable (i.e. are there any 'gotcha's that I need to be aware of) ?
- Does running Apache in a chroot jail affect its ability issues like performance and scalability?
He also advised that I run my databases (mySQL and PostgreSQL), in separate chroot jails.
Is this something that is often done in production systems
[Edit]
Forgot to say, Server is running on Ubuntu 8.04 LTS
Best Answer
Chrooting is a good security measure, it limits the possibilities to compromise the system in case of a successfull exploit but there are also ways in some case to evade from a chroot, so it is not a definitive way to protect the system.
I'm not aware of any disavantage regarding performance and scalability. Concerning database access, it is generaly done with a link to the socket inside the chroot this way you don't have to open any networking port for database connectivity.
EDIT: below is a sample for mysql access taken from an OpenBSD rc.local (OpenBSD chrooted httpd)
Hope this helps.