[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache Chroot

To: tech@openbsd.org
Subject: Re: Apache Chroot
From: Henning Brauer <lists-openbsdtech@bsws.de>
Date: Mon, 15 Jul 2002 00:43:10 +0200
Content-Disposition: inline
Mail-Followup-To: tech@openbsd.org
References: <20020714162911.H869@tigerteam.net> <Pine.BSF.4.32L2.0207140408110.42129-100000@shell-3.enteract.com> <20020714094425.GA48873@lagoon.freebsd.lublin.pl> <20020714145242.D2072@skywalker.bsws.de> <00a101c22b86$5908b4b0$2234a8c0@riley>

On Sun, Jul 14, 2002 at 03:32:33PM -0700, Randall Augustus Alexander wrote:
> I just setup a new machine from current a couple of days ago and ran into
> the fact that apache is now chrooted to /var/www.  At first I thought there
> was some sort of a problem and even reinstalled the system from scratch.
> After a few hours I finally RTFM.  Sure enough the man page pointed out that
> it was chrooted and that I had to change paths in httpd.conf.

no. no no no no. Nowhere the manpage says that you need to change pathes. In
fact, the opposite is true.

> The paths in the distributed httpd.conf file are all assuming a non chrooted
> server.  

I'm not sure how old you're sources are, but it is not required to change
pathes. I resolved path issues in the distributed modules one or two days
after the apache chroot commit, the core always stripped pathes itself.

> To save someone else some time, someone might want to change the
> httpd.conf file paths

that's not needed.

> In researching the problem I also visited the apache.org website and learned
> that the user and group directives can also be used inside of virtual host
> containers.  This gave me an idea to further enhance an apache installlation
> on OpenBSD.
> Setup the server to run as www:www as usuall and then for each virtual host
> setup a system account with their shell set to nologin to give them chrooted
> ftp access to thier web content directory.   The virtual host container for
> that vhost would then have the user directive reflecting their system
> account and the www group,  The directory would only be writeable by that
> user and readable by the www group.  When running mod_perl or mod_php they
> would also inherit those permissions and should work well.  I will be
> testing that theory here shortly.

you have a serious misunderstanding here.
mod_perl and mod_www as well as all apache children always use the same
uid/gid, www.www on OpenBSD. The User/Group directives inside VirtualHosts
ONLY affect suexec, and the documentation is IMHO _very_ clear about this.

Follow-Ups:
- Re: Apache Chroot
  - From: Henning Brauer <lists-openbsdtech@bsws.de>
- Re: Apache Chroot
  - From: "Randall Augustus Alexander" <openbsd@zonedzero.net>

References:
- Re: OpenBSD rootkit?
  - From: Fyodor <fygrave@tigerteam.net>
- Re: OpenBSD rootkit?
  - From: Jolan Luff <jolan@enteract.com>
- Re: OpenBSD rootkit?
  - From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
- Re: OpenBSD rootkit?
  - From: Henning Brauer <lists-openbsdtech@bsws.de>
- Apache Chroot
  - From: "Randall Augustus Alexander" <openbsd@zonedzero.net>

Prev by Date: Re: Apache Chroot
Next by Date: Re: Apache Chroot
Prev by thread: Apache Chroot
Next by thread: Re: Apache Chroot
Index(es):
- Date
- Thread