[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache Chroot



On Sun, Jul 14, 2002 at 03:32:33PM -0700, Randall Augustus Alexander wrote:
> I just setup a new machine from current a couple of days ago and ran into
> the fact that apache is now chrooted to /var/www.  At first I thought there
> was some sort of a problem and even reinstalled the system from scratch.
> After a few hours I finally RTFM.  Sure enough the man page pointed out that
> it was chrooted and that I had to change paths in httpd.conf.

no. no no no no. Nowhere the manpage says that you need to change pathes. In
fact, the opposite is true.

> The paths in the distributed httpd.conf file are all assuming a non chrooted
> server.  

I'm not sure how old you're sources are, but it is not required to change
pathes. I resolved path issues in the distributed modules one or two days
after the apache chroot commit, the core always stripped pathes itself.

> To save someone else some time, someone might want to change the
> httpd.conf file paths

that's not needed.

> In researching the problem I also visited the apache.org website and learned
> that the user and group directives can also be used inside of virtual host
> containers.  This gave me an idea to further enhance an apache installlation
> on OpenBSD.
> Setup the server to run as www:www as usuall and then for each virtual host
> setup a system account with their shell set to nologin to give them chrooted
> ftp access to thier web content directory.   The virtual host container for
> that vhost would then have the user directive reflecting their system
> account and the www group,  The directory would only be writeable by that
> user and readable by the www group.  When running mod_perl or mod_php they
> would also inherit those permissions and should work well.  I will be
> testing that theory here shortly.

you have a serious misunderstanding here.
mod_perl and mod_www as well as all apache children always use the same
uid/gid, www.www on OpenBSD. The User/Group directives inside VirtualHosts
ONLY affect suexec, and the documentation is IMHO _very_ clear about this.