"SfR Fresh" - the SfR Freeware/Shareware Archive 
Member "cgiwrap-4.1/doc/chroot" of archive cgiwrap-4.1.tar.gz:
As a special service "SfR Fresh" has tried to format the requested source page into HTML format using source code syntax highlighting with prefixed line numbers.
Alternatively you can here view or download the uninterpreted source code file.
That can be also achieved for any archive member file by clicking within an archive contents listing on the first character of the file(path) respectively on the according byte size field.
1 CGIWrap - Chroot Implementation
2 __________________________________________________________________
3
4 Note - This facility is for expert administrators only, cgi scripts
5 will not work AT ALL if you don't do this right.
6 __________________________________________________________________
7
8 The chroot facility in cgiwrap is built on a loopback filesystem
9 approach. What this means is - cgiwrap expects an equivalent filesystem
10 structure inside the chrooted area as is outside. The prefix specified
11 with --with-chroot=PATH should point to the top of your chrooted area.
12
13 Within the chrooted area, you should place any
14 executables/libraries/tools that you want available to cgi scripts. For
15 the user data within the filesystem I suggest you use a loopback NFS
16 mount. Is suggest using the nosuid and nodev options on the mount for
17 additional protection.
18
19 For optimum protection, you might also consider using a loopback NFS
20 mount for the top level of the chroot area as well, mounted with the
21 'ro' mount option. This will prevent ANY changes to that filesystem.
22
23 Note, this is not as secure as some chroot facilities, but it is more
24 secure than the basic cgiwrap setup. For additional security, it is
25 recommended that user home directories have NO world/other permissions
26 set.