mod_rsbac What is it? mod_rsbac brings some RSBAC specific features to Apache, namely: - rsbac_jail, can jail the whole Apache environment. Work like mod_chroot. - RC, working until now only with the Prefork MPM. The RC module allow a SuExec-like functionality without the cost of forking new processes, and thus much faster. The master Apache process is assigned a role (apache-master) which is allowed to assign to role apache-worker to the worker processes it creates (also called childrens). Every worker is then allowed to switch their role to a set of roles, which represent either the different directories or virtual hosts to serve. You can use either the Jail functions, either RC functions or both at the same time. Of course, you need a RSBAC enabled kernel to use mod_jail. See <http://www.rsbac.org/> or install a RSBAC enabled kernel from your distribution. (De-facto, this module currently only run on Linux) Caveats Running Apache (and CGI/Perl/PHP) inside a jail can be tricky. Read CAVEATS for known problems and solutions. The RC functions rely on Apache to clear each worker environment. Before switching it's role, the worker process free the previous request's data. Restarting Apache Once jailed, Apache cannot access anything located above JailDir. For that reason restarting Apache with 'apachectl reload', 'apachectl graceful' or 'kill -HUP apache_pid' will not work as expected. Apache will not be able to read its config file, open logs or load modules (unless you put them inside the jail, but mod_jail is all about not doing that!). Use 'apachectl stop' followed by 'apachectl start' to restart mod_rsbac-enabled with Jail settings Apache.
