Chroot caveats
Using SecChrootDir works great for some setups, but not for others. If your site relies heavily on third-party modules or external programs (such as PHP or Perl) then trying to jail Apache may not be worth it because of all the extra effort required to get those external applications to work correctly while in jail. If you're just hosting plain HTML files, though, and want the extra security provided by a jailed Apache process then using SecChrootDir should be a straightforward process with a minimum of complications.
Here are some additional things to look out for when using SecChrootDir:
Restarting Apache may not work as expected. If a command such as
apachectl restartorapachectl gracefuldoes not work, try stopping and then starting Apache using two separate commands.Similarly, sending a SIGHUP to Apache to make it restart will not work as expected, as the required modules may not be available inside the jail and if they are, ModSecurity will be attempting to perform...
