chrooting apache with php support - sendmail problems
I'm currently chrooting apache v2.043, php v4.3.0 and there is a problem with the sendmail part. I copied the required libraries and configuration files for sendmail to work properly. I also created a mque directory ... and well if I for instance do:
chroot /server/http /usr/sbin/sendmail -bd & I can CONNECT to it and everything works ... I can send emails and they get in the /server/http/var/spool/mque directory ... so everything works just fine ... but with the php part it doesn't work. the mail-function doesn't put ANYTHING in the mail spool ... and since sendmail itself is running with the above chroot command and works I'm out of ideas ... I double checked everything I could think of already. Anybody out for help ? |
Permissions? Is PHP allowed to do $fp popen('/usr/sbin/sendmail etc, etc? Doesn't sendmail accept because of missing parameters/wrong user? Anything in the logfiles? Are you running Apache + PHP + Sendmail in the same chroot (stupid question, I know)?
|
First of all Apache and sendmail are of course in the same chroot ... otherwise all of this wouldn't make any sense :-)
You know what I will do now? I will set up all of this AGAIN and be very carefully before doing something. I mean this won't be limited to just the sendmail part just with everything. I will check the permissions, etc ... I will make a short doc how I set everything up and post that here ... The thing is the exactly same configuration works if you run it without the chroot ... so basically it should work :-) |
Say, if you tar -cjf the whole chroot, how large would that be? Just being curious if it's portable :-]
|
Just the tar would be about 20 MB without compression ... I bet with bz2 compression about 5-6 MB. I will do that once I set up everything again ...
|
Okay since I wanted to document things a bit here is like I started ... like the compile process of Apache v2.0.44:
Code:
export CFLAGS="-O2 -march=i586 -DDEFAULT_SERVER_LIMIT=1024" Afterwards I built PHP like that: Code:
export CFLAGS="-O2 -march=i586" This gives me a basic configuration ... optimized for the things I really will need :-) So the httpd.conf is following (if apache is NOT chrooted): Code:
# Apache v2.0.44 configuration An example of a virtual host would be (conf/virtual_hosts/http/active): Code:
# ------------------------------------------------------------------------ And lastly the php configuration: Code:
[PHP] |
Running this configuration EVERYTHING works fine! Mailing, etc. Now I will document a bit how I chrooted Apache ...
1. checking which files (for this step i will ignore the libraries) are required by the httpd process: ps auxw | grep httpd lsof -p <httpd_pids> /dev/zero /dev/null the log files as defined in httpd.conf, etc 2. determining the libraries needed for httpd and libphp.so httpd: Code:
/server/http/binary/sbin/httpd: mkdir server ln -s ../ server/http mkdir dev /dev/MAKEDEV -d /server/http/dev null /dev/MAKEDEV -d /server/http/dev zero /dev/MAKEDEV -d /server/http/dev urandom mkdir var/run/ -p mkdir var/empty -p mkdir etc cat /etc/passwd | grep nobody > /server/http/etc/passwd cat /etc/group | grep nogroup > /server/http/etc/group cat /etc/group | grep www >> /server/http/etc/group chroot /server/http /binary/sbin/httpd gives warning about not being able to determin fully qualified name (needs /etc/hosts and /etc/resolv.conf) mkdir tmp chmod 777 tmp chmod +t tmp now everything works except database connect ... seems like there's missing something for that ... and mail of course ... probably it's not worth being chrooted ... |
Damm, you'll be Conan The Librarian if you don't stop documenting stuff that neatly :-]
Connect, wasn't that the /var/lib/mysql/mysql.sock outside the chroot? Socket dir 777 permission? For mail read your mail, maybe got a solution. |
Regarding MySQL it's chrooted itself in a different chroot path *g*. So either chroot it also to that path (which I don't like to do since the mysql chroot is kind of pretty secured set up and the apache chroot would be a bit more insecure i suppose) ... I'll download FreeBSD 5.0 now BTW :-)
I'm not a librarian :-P |
I get this error when I enter
"chmod 511 /server/http/binary/sbin/httpd" ERROR: chmod: failed to get attributes of `/server/http/binary/sbin/httpd': No such file or directory I can't finder the "server" dir anywhere... :( *EDIT* Looks like I got around it, and right now I'm doing the install of PHP. I "of course" had to modify the locations to the different files and where the conf file was, but I think I got it now! GREAT WORK on the right up! Thanx! |
All times are GMT -5. The time now is 04:24 AM. |