I hadn't looked at mod_security before, but it appears to do something totally different to chroot. With chroot you construct a restricted environment to run the chosen software in, and the rest of the system is "invisible" to the application.
This is time-consuming to setup, and the restricted application can escape the chroot if it gets root privileges. It's probably better to use SELinux, which is the default for current releases of Fedora Core and RHEL. On an SELinux system every secured service is effectively under chroot, because the SELinux policy absolutely prevents them from accessing other parts of the system. People complain about SELinux because it is *too* effective at restricting unsafe behavior out-of-the-box
.
My personal Web server runs an older distro, and I opted for a low-maintenance approach: it runs the AIDE intrusion detection system so that I can see if a change occurs which I didn't make myself, and I set the security options in PHP to restrict the one remaining PHP application that I use. Long-term I'll migrate from that application to a Rails equivalent, turn off PHP altogether, and switch from Apache to lighttpd. One of the advertised features of lighttpd is that it chroots well.
