Why should I use mod_chroot instead of mod_security?
mod_security is a complex piece of code. It does lots of string processing; it is a really hard task to do right. Apparently, mod_security developer didn't avoid some common problems: there were two vulnerabilities found in mod_security; see here and here.
mod_security is a swiss-army knife: it contains lots of features, including request filtering, URI normalisation, POST payload analysis, etc, etc. While some people may need all these features, I believe in classical Unix approach - simple pieces which do one thing and are easy to integrate with other pieces. This approach improves security:
- mod_chroot never talks to remote clients.
- mod_chroot allocates memory exactly once - during startup
- mod_chroot contains no request handling.
My suggestion - if you only need to do chroot() - use mod_chroot. If you need URI normalisation and other mod_security features - use mod_security and watch the mailing list for bugfix releases.
