[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Apache Chroot
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Apache Chroot
- From: Henning Brauer <lists-openbsdtech_(_at_)_bsws_(_dot_)_de>
- Date: Mon, 15 Jul 2002 00:56:15 +0200
- Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
grrrrrrr. I hate to correct my own posts. gimme a beer.
On Mon, Jul 15, 2002 at 12:43:10AM +0200, Henning Brauer wrote:
> no. no no no no. Nowhere the manpage says that you need to change pathes. In
> fact, the opposite is true.
... and the manpage explicitely says so:
For this to work, pathnames inside the
file do not need adjustment relative to
.Va ServerRoot .
> you have a serious misunderstanding here.
> mod_perl and mod_www
mod_php, actually. same for all other modules.
the explanation is easy. even with an non-OpenBSD and thus not-chrooting and
not-priviledge-dropping-in-the-parent apache, all children are running as
unpriviledged user, www for us. If you would read up on setuid(2) you'd know
why the children cannot change uid/gid any more:
function is permitted if the effective user ID is that of the superuser,
or if the specified user ID is the same as the effective user ID.
> as well as all apache children always use the same
> uid/gid, www.www on OpenBSD. The User/Group directives inside VirtualHosts
> ONLY affect suexec, and the documentation is IMHO _very_ clear about this.
and suexec only works because it's a seperate setuid root binary.
Unix is very simple, but it takes a genius to understand the simplicity.
Visit your host, monkey.org