Why should I use mod_chroot instead of mod_security?

mod_security is a complex piece of code. It does lots of string processing; it is a really hard task to do right. Apparently, mod_security developer didn't avoid some common problems: there were two vulnerabilities found in mod_security; see here and here.

mod_security is a swiss-army knife: it contains lots of features, including request filtering, URI normalisation, POST payload analysis, etc, etc. While some people may need all these features, I believe in classical Unix approach - simple pieces which do one thing and are easy to integrate with other pieces. This approach improves security:

My suggestion - if you only need to do chroot() - use mod_chroot. If you need URI normalisation and other mod_security features - use mod_security and watch the mailing list for bugfix releases.

« back to INDEX

Valid XHTML 1.0! Valid CSS!