[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache Chroot

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: Apache Chroot
From: Henning Brauer <lists-openbsdtech_(_at_)_bsws_(_dot_)_de>
Date: Mon, 15 Jul 2002 00:56:15 +0200
Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org

grrrrrrr. I hate to correct my own posts. gimme a beer.

On Mon, Jul 15, 2002 at 12:43:10AM +0200, Henning Brauer wrote:
> no. no no no no. Nowhere the manpage says that you need to change pathes. In
> fact, the opposite is true.

... and the manpage explicitely says so:

For this to work, pathnames inside the
.Va config
file do not need adjustment relative to
.Va ServerRoot .

> you have a serious misunderstanding here.
> mod_perl and mod_www 

mod_php, actually. same for all other modules.
the explanation is easy. even with an non-OpenBSD and thus not-chrooting and
not-priviledge-dropping-in-the-parent apache, all children are running as
unpriviledged user, www for us. If you would read up on setuid(2) you'd know
why the children cannot change uid/gid any more:

The
.Fn setuid
function is permitted if the effective user ID is that of the superuser,
or if the specified user ID is the same as the effective user ID.

> as well as all apache children always use the same
> uid/gid, www.www on OpenBSD. The User/Group directives inside VirtualHosts
> ONLY affect suexec, and the documentation is IMHO _very_ clear about this.

and suexec only works because it's a seperate setuid root binary.

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

References:
- Re: OpenBSD rootkit?
  - From: Fyodor
- Re: OpenBSD rootkit?
  - From: Henning Brauer
- Re: Apache Chroot
  - From: Henning Brauer

Prev by Date: Re: Apache Chroot
Next by Date: Re: Apache Chroot
Previous by thread: Re: Apache Chroot
Next by thread: Re: Apache Chroot
Index(es):
- Date
- Thread

Visit your host, monkey.org