[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Apache Chroot
On Sun, Jul 14, 2002 at 03:32:33PM -0700, Randall Augustus Alexander wrote:
> I just setup a new machine from current a couple of days ago and ran into
> the fact that apache is now chrooted to /var/www. At first I thought there
> was some sort of a problem and even reinstalled the system from scratch.
> After a few hours I finally RTFM. Sure enough the man page pointed out that
> it was chrooted and that I had to change paths in httpd.conf.
no. no no no no. Nowhere the manpage says that you need to change pathes. In
fact, the opposite is true.
> The paths in the distributed httpd.conf file are all assuming a non chrooted
I'm not sure how old you're sources are, but it is not required to change
pathes. I resolved path issues in the distributed modules one or two days
after the apache chroot commit, the core always stripped pathes itself.
> To save someone else some time, someone might want to change the
> httpd.conf file paths
that's not needed.
> In researching the problem I also visited the apache.org website and learned
> that the user and group directives can also be used inside of virtual host
> containers. This gave me an idea to further enhance an apache installlation
> on OpenBSD.
> Setup the server to run as www:www as usuall and then for each virtual host
> setup a system account with their shell set to nologin to give them chrooted
> ftp access to thier web content directory. The virtual host container for
> that vhost would then have the user directive reflecting their system
> account and the www group, The directory would only be writeable by that
> user and readable by the www group. When running mod_perl or mod_php they
> would also inherit those permissions and should work well. I will be
> testing that theory here shortly.
you have a serious misunderstanding here.
mod_perl and mod_www as well as all apache children always use the same
uid/gid, www.www on OpenBSD. The User/Group directives inside VirtualHosts
ONLY affect suexec, and the documentation is IMHO _very_ clear about this.