LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   chrooting apache with php support - sendmail problems (https://www.linuxquestions.org/questions/linux-security-4/chrooting-apache-with-php-support-sendmail-problems-42005/)

markus1982 01-19-2003 06:33 AM
chrooting apache with php support - sendmail problems
 
I'm currently chrooting apache v2.043, php v4.3.0 and there is a problem with the sendmail part. I copied the required libraries and configuration files for sendmail to work properly. I also created a mque directory ... and well if I for instance do:

chroot /server/http /usr/sbin/sendmail -bd &

I can CONNECT to it and everything works ... I can send emails and they get in the /server/http/var/spool/mque directory ... so everything works just fine ... but with the php part it doesn't work. the mail-function doesn't put ANYTHING in the mail spool ... and since sendmail itself is running with the above chroot command and works I'm out of ideas ... I double checked everything I could think of already.

Anybody out for help ?

unSpawn 01-21-2003 10:56 AM
Permissions? Is PHP allowed to do $fp popen('/usr/sbin/sendmail etc, etc? Doesn't sendmail accept because of missing parameters/wrong user? Anything in the logfiles? Are you running Apache + PHP + Sendmail in the same chroot (stupid question, I know)?

markus1982 01-21-2003 11:06 AM
First of all Apache and sendmail are of course in the same chroot ... otherwise all of this wouldn't make any sense :-)

You know what I will do now? I will set up all of this AGAIN and be very carefully before doing something. I mean this won't be limited to just the sendmail part just with everything. I will check the permissions, etc ... I will make a short doc how I set everything up and post that here ...


The thing is the exactly same configuration works if you run it without the chroot ... so basically it should work :-)

unSpawn 01-21-2003 11:19 AM
Say, if you tar -cjf the whole chroot, how large would that be? Just being curious if it's portable :-]

markus1982 01-21-2003 11:23 AM
Just the tar would be about 20 MB without compression ... I bet with bz2 compression about 5-6 MB. I will do that once I set up everything again ...

markus1982 01-21-2003 11:32 AM
Okay since I wanted to document things a bit here is like I started ... like the compile process of Apache v2.0.44:

Code:
export CFLAGS="-O2 -march=i586 -DDEFAULT_SERVER_LIMIT=1024"
./configure \
        --prefix=/server/http/binary \
        --bindir=/server/http/binary/bin \
        --datadir=/server/http/data \
        --libexecdir=/server/http/binary/modules \
        --mandir=/usr/share/man \
        --sbindir=/server/http/binary/sbin \
        --sysconfdir=/server/http/conf \
        --enable-access=shared \
        --enable-actions=shared \
        --enable-alias=shared \
        --disable-asis \
        --enable-auth=shared \
        --enable-auth-anon=shared \
        --enable-autoindex=shared \
        --enable-cgi=shared \
        --enable-cgid=shared \
        --disable-charset-lite \
        --enable-dir=shared \
        --enable-env=shared \
        --disable-imap \
        --enable-include=shared \
        --enable-log-config=shared \
        --enable-mime=shared \
        --enable-negotiation=shared \
        --enable-rewrite=shared \
        --enable-setenvif=shared \
        --enable-so \
        --enable-ssl=shared \
        --enable-status=shared \
        --enable-suexec \
        --disable-userdir \
        --enable-vhost-alias=shared \
        --enable-static-support=shared \
        --with-mpm=prefork \
        --with-ssl \
        --with-suexec \
        --with-suexec-bin=/server/binary/sbin \
        --with-suexec-caller=nobody \
        --with-suexec-docroot=/server/http/htdocs \
        --with-suexec-logfile=/server/http/logs/suexec.log \
        --with-suexec-uidmin=500 --with-suexec-gidmin=500 \
        --with-z
make
make install
chmod 511 /server/http/binary/sbin/httpd
strip /server/http/binary/bin/* /server/http/binary/sbin/* /server/http/binary/modules/*
rm -rf /server/http/binary/logs /server/http/conf /server/http/data/htdocs
cp -r /root/install/software/server/http/conf/ /server/http/conf
cp -p -r /server/http.old/htdocs /server/http
cp -p -r /server/http.old/logs /server/http
chmod 750 /server/http/htdocs -R

Afterwards I built PHP like that:
Code:
export CFLAGS="-O2 -march=i586"
./configure \
        --prefix=/server/http/binary \
        --enable-bcmath \
        --enable-calendar \
        --disable-debug \
        --enable-dio \
        --enable-discard-path \
        --enable-force-cgi-redirect \
        --enable-fast-cgi \
        --enable-gd-native-ttf \
        --enable-inline-optimization \
        --enable-magic-quotes \
        --enable-memory-limit \
        --disable-path-info-check \
        --disable-posix \
        --disable-rpath \
        --enable-safe-mode \
        --enable-sysvsem \
        --enable-sysvshm \
        --enable-track-vars \
        --with-mysql=/usr \
        --with-mysql-sock=/tmp/mysql.sock \
        --with-openssl \
        --with-pic \
        --with-xml \
        --with-apxs2=/server/http/binary/sbin/apxs \
        --with-config-file-path=/server/http/conf
make
make install
strip /server/http/binary/bin/* /server/http/binary/sbin/* /server/http/binary/modules/*

This gives me a basic configuration ... optimized for the things I really will need :-)


So the httpd.conf is following (if apache is NOT chrooted):
Code:
# Apache v2.0.44 configuration
# ========================================================================
# SECTION 01:        GLOBAL CONFIGURATION
# ========================================================================
ServerAdmin                root@localhost
ServerRoot                /server/http
ServerSignature                EMail

ErrorLog                logs/error.log
LogLevel                warn
Listen                        80
Listen                        443
PidFile                        /var/run/apache.pid
ExtendedStatus                On

AddDefaultCharset        ISO-8859-1
DefaultType                text/plain


        # ----------------------------------------------------------------
        # error pages in different languages
        # ----------------------------------------------------------------
        Alias /error/ "/server/http/data/error/"

                <Directory "/server/http/data/error">
                        AddHandler                type-map var
                        AddOutputFilter                Includes html
                        AllowOverride                None
                        ForceLanguagePriority        Prefer Fallback
                        LanguagePriority        de en es fr it nl sv
                        Options                        IncludesNoExec
                        Order                        Allow,Deny
                        Allow                        from All
                </Directory>

        ErrorDocument        400        /error/HTTP_BAD_REQUEST.html.var
        ErrorDocument        401        /error/HTTP_UNAUTHORIZED.html.var
        ErrorDocument        403        /error/HTTP_FORBIDDEN.html.var
        ErrorDocument        404        /error/HTTP_NOT_FOUND.html.var
        ErrorDocument        405        /error/HTTP_METHOD_NOT_ALLOWED.html.var
        ErrorDocument        408        /error/HTTP_REQUEST_TIME_OUT.html.var
        ErrorDocument        410        /error/HTTP_GONE.html.var
        ErrorDocument        411        /error/HTTP_LENGTH_REQUIRED.html.var
        ErrorDocument        412        /error/HTTP_PRECONDITION_FAILED.html.var
        ErrorDocument        413        /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
        ErrorDocument        414        /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
        ErrorDocument        415        /error/HTTP_SERVICE_UNAVAILABLE.html.var
        ErrorDocument        500        /error/HTTP_INTERNAL_SERVER_ERROR.html.var
        ErrorDocument        501        /error/HTTP_NOT_IMPLEMENTED.html.var
        ErrorDocument        502        /error/HTTP_BAD_GATEWAY.html.var
        ErrorDocument        503        /error/HTTP_SERVICE_UNAVAILABLE.html.var
        ErrorDocument        506        /error/HTTP_VARIANT_ALSO_VARIES.html.var
        # ----------------------------------------------------------------


        # ----------------------------------------------------------------
        # modules - dynamic shared objects (DSO)
        # ----------------------------------------------------------------
        LoadModule access_module        binary/modules/mod_access.so
        LoadModule actions_module        binary/modules/mod_actions.so
        LoadModule alias_module                binary/modules/mod_alias.so
        LoadModule auth_anon_module        binary/modules/mod_auth_anon.so
        LoadModule auth_module                binary/modules/mod_auth.so
        LoadModule autoindex_module        binary/modules/mod_autoindex.so
        LoadModule cgi_module                binary/modules/mod_cgi.so
        LoadModule cgid_module                binary/modules/mod_cgid.so
        LoadModule dir_module                binary/modules/mod_dir.so
        LoadModule env_module                binary/modules/mod_env.so
        LoadModule include_module        binary/modules/mod_include.so
        LoadModule log_config_module        binary/modules/mod_log_config.so
        LoadModule mime_module                binary/modules/mod_mime.so
        LoadModule negotiation_module        binary/modules/mod_negotiation.so
        LoadModule php4_module                binary/modules/libphp4.so
        LoadModule rewrite_module        binary/modules/mod_rewrite.so
        LoadModule setenvif_module        binary/modules/mod_setenvif.so
        LoadModule ssl_module                binary/modules/mod_ssl.so
        LoadModule status_module        binary/modules/mod_status.so
        LoadModule vhost_alias_module        binary/modules/mod_vhost_alias.so
        # ----------------------------------------------------------------


        # ----------------------------------------------------------------
        # performance features
        # ----------------------------------------------------------------
        MaxKeepAliveRequests        000
        KeepAlive                On
        KeepAliveTimeout        010
        TimeOut                        120

                <IfModule prefork.c>
                        MaxClients                0512
                        MaxRequestsPerChild        0000
                        MaxSpareServers                0010
                        MinSpareServers                0005
                        ServerLimit                1024
                        StartServers                0005
                </IfModule>


                <IfModule mod_dir.c>
                        DirectoryIndex                index.html index.htm index.php
                </IfModule>

        HostnameLookups                Off
        UseCanonicalName        Off
        # ----------------------------------------------------------------


        # ----------------------------------------------------------------
        # security features
        # ----------------------------------------------------------------
#        ServerTokens                ProductOnly
        ServerTokens                Full

        User                        nobody
        Group                        www


                # --------------------------------------------------------
                # very restrictive default directory settings
                # --------------------------------------------------------
                <Directory />
                        AllowOverride                None
                        Options                        None
                        Order                        Deny,Allow
                        Deny                        from All
                </Directory>
                # --------------------------------------------------------


                # --------------------------------------------------------
                # do not let anybody view .ht* files (.htaccess, etc)
                # --------------------------------------------------------
                <Files ~ "^\.ht">
                        Order                        Deny,Allow
                        Deny                        from All
                </Files>
                # --------------------------------------------------------


                # --------------------------------------------------------
                # general SSL configuration
                # --------------------------------------------------------
                <IfModule mod_ssl.c>
                        SSLMutex                sem
                        SSLPassPhraseDialog        builtin
                        SSLSessionCache                none
                        SSLSessionCacheTimeout        300
                        SSLRandomSeed startup        file:/dev/urandom 1024
                        SSLRandomSeed connect        file:/dev/urandom 1024
                </IfModule>
                # --------------------------------------------------------
        # ----------------------------------------------------------------




<IfModule mod_alias.c>
        # ----------------------------------------------------------------
        # icons (for directory listing)
        # ----------------------------------------------------------------
        Alias /icons/        "/server/http/data/icons/"
        <Directory "/server/http/data/icons">
                AllowOverride None
                Options Indexes MultiViews
                Order allow,deny
                Allow from all
        </Directory>
        # ----------------------------------------------------------------
</IfModule>



<IfModule mod_autoindex.c>
        IndexOptions                FancyIndexing versionSort
        IndexIgnore                .??* *~ *# HEADER* README* RCS CVS *,v *,t

        # ----------------------------------------------------------------
        # icons for the different file types
        # ----------------------------------------------------------------
        AddIconByEncoding        (CMP,/icons/compressed.gif)        x-compress x-gzip

        AddIconByType                (TXT,/icons/text.gif)                text/*
        AddIconByType                (IMG,/icons/image2.gif)                image/*
        AddIconByType                (SND,/icons/sound2.gif)                audio/*
        AddIconByType                (VID,/icons/movie.gif)                video/*

        AddIcon                        /icons/binary.gif                .bin .exe
        AddIcon                        /icons/binhex.gif                .hqx
        AddIcon                        /icons/tar.gif                        .tar
        AddIcon                        /icons/world2.gif                .wrl .wrl.gz .vrml .vrm .iv
        AddIcon                        /icons/compressed.gif                .Z .z .tgz .gz .zip
        AddIcon                        /icons/a.gif                        .ps .ai .eps
        AddIcon                        /icons/layout.gif                .html .shtml .htm .pdf
        AddIcon                        /icons/text.gif                        .txt
        AddIcon                        /icons/c.gif                        .c
        AddIcon                        /icons/p.gif                        .pl .py
        AddIcon                        /icons/f.gif                        .for
        AddIcon                        /icons/dvi.gif                        .dvi
        AddIcon                        /icons/uuencoded.gif                .uu
        AddIcon                        /icons/script.gif                .conf .sh .shar .csh .ksh .tcl
        AddIcon                        /icons/tex.gif                        .tex
        AddIcon                        /icons/bomb.gif                        core

        AddIcon                        /icons/back.gif                        ..
        AddIcon                        /icons/hand.right.gif                README
        AddIcon                        /icons/folder.gif                ^^DIRECTORY^^
        AddIcon                        /icons/blank.gif                ^^BLANKICON^^

        DefaultIcon                /icons/unknown.gif
        # ----------------------------------------------------------------
</IfModule>



<IfModule mod_cgid.c>
        ScriptSock        logs/cgi.sock
</IfModule>



<IfModule mod_log_config.c>
        LogFormat        "%{User-agent}i" agent
        LogFormat        "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat        "%h %l %u %t \"%r\" %>s %b" common
        LogFormat        "%{Referer}i -> %U" referer
        LogFormat        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl_request
</IfModule>



<IfModule mod_mime.c>
        # ----------------------------------------------------------------
        # language configuration
        # ----------------------------------------------------------------
        AddLanguage        ca        .ca
        AddLanguage        cz        .cz
        AddLanguage        da        .dk
        AddLanguage        de        .de
        AddLanguage        el        .el
        AddLanguage        en        .en
        AddLanguage        es        .es
        AddLanguage        et        .et
        AddLanguage        fr        .fr
        AddLanguage        he        .he
        AddLanguage        hr        .hr
        AddLanguage        it        .it
        AddLanguage        ja        .ja
        AddLanguage        ko        .ko
        AddLanguage        ltz        .ltz
        AddLanguage        nl        .nl
        AddLanguage        nn        .nn
        AddLanguage        no        .no
        AddLanguage        pl        .po
        AddLanguage        pt        .pt
        AddLanguage        pt-br        .pt-br
        AddLanguage        ru        .ru
        AddLanguage        sv        .se
        AddLanguage        tw        .tw
        AddLanguage        zh-tw        .tw

        LanguagePriority        de en es fr da nl et el it ja ko no pl pt pt-br ltz ca sv tw
        ForceLanguagePriority        Prefer Fallback
        # ----------------------------------------------------------------


        # ----------------------------------------------------------------
        # mime types
        # ----------------------------------------------------------------
        TypesConfig        conf/mime.types

        AddEncoding        x-compress                        Z
        AddEncoding        x-gzip                                gz tgz

        AddType                application/x-httpd-php                .php
        AddType                application/x-httpd-php-source        .phps
        AddType                application/x-tar                .tgz
        AddType                image/x-icon                        .ico
        # ----------------------------------------------------------------
</IfModule>



<IfModule mod_mime_magic.c>
        MIMEMagicFile        conf/magic
</IfModule>



<IfModule mod_setenvif.c>
        BrowserMatch        "Java/1\.0" force-response-1.0
        BrowserMatch        "JDK/1\.0" force-response-1.0
        BrowserMatch        "Microsoft Data Access Internet Publishing Provider" redirect-carefully
        BrowserMatch        "Mozilla/2" nokeepalive
        BrowserMatch        "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
        BrowserMatch        "RealPlayer 4\.0" force-response-1.0
        BrowserMatch        "^WebDAVFS/1.[012]" redirect-carefully
        BrowserMatch        "^WebDrive" redirect-carefully
</IfModule>



<IfModule mod_status.c>
        <Location /server-status>
                SetHandler        server-status
                Order                Deny,Allow
                Deny                from All
                Allow                from 192.168.84.0/24
        </Location>
</IfModule>
# ========================================================================





# ========================================================================
# SECTION 02:        CONFIGURATION OF THE VIRTUAL HOSTS
# ========================================================================

        # ----------------------------------------------------------------
        # HTTP
        # ----------------------------------------------------------------

                # --------------------------------------------------------
                # Name-based virtual hosts
                # --------------------------------------------------------
                NameVirtualHost 192.168.84.254:80
                # --------------------------------------------------------

        Include conf/virtual_hosts/http/active
        # ----------------------------------------------------------------


        # ----------------------------------------------------------------
        # HTTPS
        # ----------------------------------------------------------------
        <IfModule mod_ssl.c>
                Include conf/virtual_hosts/https/active
        </IfModule>
        # ----------------------------------------------------------------
# ========================================================================

An example of a virtual host would be (conf/virtual_hosts/http/active):
Code:
# ------------------------------------------------------------------------
# VIRTUAL HOST CONFIGURATION FOR example.com
# ------------------------------------------------------------------------
<VirtualHost 192.168.84.254:80>
        ServerAdmin                webmaster@example.com
        ServerName                www.example.com
        ScriptAlias                /cgi-bin/        /server/http/htdocs/virtual_hosts/www.example.com/cgi-bin/
        SuexecUserGroup                www.example.com nogroup

        <Location />
                php_admin_value doc_root                "/server/http/htdocs/virtual_hosts/www.example.com/"
                php_admin_value        open_basedir        "/server/http/htdocs/virtual_hosts/www.example.com/:/server/http/binary/lib/php/"
        </Location>

        DocumentRoot                /server/http/htdocs/virtual_hosts/www.example.com
        CustomLog                logs/virtual_hosts/www.example.com/access.log combined
        ErrorLog                logs/virtual_hosts/www.example.com/error.log
</VirtualHost>

<Directory /server/http/htdocs/virtual_hosts/www.example.com>
        Order                        Allow,Deny
        Allow                        from All
</Directory>
# ------------------------------------------------------------------------
PHP configuration items I changed:
And lastly the php configuration:
Code:
[PHP]

; Options have been set keeping security in mind
; Check http://www.openna.com/documentations.../php/index.php
; for more information

...

;
; Safe Mode
;
safe_mode = On

; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off

; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir =        "/server/http/binary/share/pear"

; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir = "/var/empty/"

; Setting certain environment variables may be a potential security breach.
; This directive contains a comma-delimited list of prefixes.  In Safe Mode,
; the user may only alter environment variables whose names begin with the
; prefixes supplied here.  By default, users will only be able to set
; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
;
; Note:  If this directive is empty, PHP will let the user modify ANY
; environment variable!
safe_mode_allowed_env_vars = PHP_

; This directive contains a comma-delimited list of environment variables that
; the end user won't be able to change using putenv().  These variables will be
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "/server/http/binary/share/pear:/server/http/htdocs/virtual_hosts/"

register_globals = Off

...

;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;

; UNIX: "/path1:/path2" 
;include_path = ".:/php/includes"
include_path = "/server/http/binary/lib/php/"
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"

; The root of the PHP pages, used only if nonempty.
; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
; if you are running php as a CGI under any web server (other than IIS)
; see documentation for security issues.  The alternate is to use the
; cgi.force_redirect configuration below
doc_root = "/server/http/htdocs/virtual_hosts/"

; The directory under which PHP opens the script using /~usernamem used only
; if nonempty.
user_dir =

; Directory in which the loadable extensions (modules) reside.
extension_dir = ./

; Whether or not to enable the dl() function.  The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
; disabled on them.
enable_dl = Off

; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers.  Left undefined, PHP turns this on by default.  You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 1

; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
; will look for to know it is OK to continue execution.  Setting this variable MAY
; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
; cgi.redirect_status_env = ;

; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
; security tokens of the calling client.  This allows IIS to define the
; security context that the request runs under.  mod_fastcgi under Apache
; does not currently support this feature (03/17/2002)
; Set to 1 if running under IIS.  Default is zero.
; fastcgi.impersonate = 1;

; cgi.rfc2616_headers configuration option tells PHP what type of headers to
; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
; is supported by Apache. When this option is set to 1 PHP will send
; RFC2616 compliant header.
; Set to 1 if running under IIS.  Default is zero.
;cgi.rfc2616_headers = 0


...
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Define the anonymous ftp password (your email address)
;from="john@doe.com"

; Define the user agent for php to send
;user_agent="PHP"

; Default timeout for socket based streams (seconds)
default_socket_timeout = 60

; If your scripts have to deal with files from Macintosh systems,
; or you are running on a Mac and need to deal with files from
; unix or win32 systems, setting this flag will cause PHP to
; automatically detect the EOL character in those files so that
; fgets() and file() will work regardless of the source of the file.
; auto_detect_line_endings = Off


...

[mail function]
; For Win32 only.
SMTP = localhost

; For Win32 only.
sendmail_from = me@localhost.com

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
;sendmail_path =

...

[MySQL]
; Allow or prevent persistent links.
mysql.allow_persistent = Off

; Maximum number of persistent links.  -1 means no limit.
mysql.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  -1 means no limit.
mysql.max_links = -1

; Default port number for mysql_connect().  If unset, mysql_connect() will use
; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
; compile-time value defined MYSQL_PORT (in that order).  Win32 will only look
; at MYSQL_PORT.
mysql.default_port =

; Default socket name for local MySQL connects.  If empty, uses the built-in
; MySQL defaults.
mysql.default_socket = /tmp/mysql.sock

; Default host for mysql_connect() (doesn't apply in safe mode).
mysql.default_host =

; Default user for mysql_connect() (doesn't apply in safe mode).
mysql.default_user =

; Default password for mysql_connect() (doesn't apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password")
; and reveal this password!  And of course, any users with read access to this
; file will be able to reveal the password as well.
mysql.default_password =

; Maximum time (in secondes) for connect timeout. -1 means no limimt
mysql.connect_timeout = -1

; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
; SQL-Erros will be displayed.
mysql.trace_mode = Off

markus1982 01-21-2003 12:17 PM
Running this configuration EVERYTHING works fine! Mailing, etc. Now I will document a bit how I chrooted Apache ...

1. checking which files (for this step i will ignore the libraries) are required by the httpd process:
ps auxw | grep httpd
lsof -p <httpd_pids>

/dev/zero
/dev/null

the log files as defined in httpd.conf, etc

2. determining the libraries needed for httpd and libphp.so

httpd:
Code:
/server/http/binary/sbin/httpd:
        libssl.so.2 => /lib/libssl.so.2 (0x43857000)
        libcrypto.so.2 => /lib/libcrypto.so.2 (0x43888000)
        libaprutil-0.so.0 => /server/http/binary/lib/libaprutil-0.so.0 (0x4395c000)
        libexpat.so.0 => /server/http/binary/lib/libexpat.so.0 (0x43970000)
        libapr-0.so.0 => /server/http/binary/lib/libapr-0.so.0 (0x4398c000)
        libm.so.6 => /lib/i686/libm.so.6 (0x439a9000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x439cb000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x439f9000)
        libdl.so.2 => /lib/libdl.so.2 (0x43a0e000)
        libpthread.so.0 => /lib/i686/libpthread.so.0 (0x43a11000)
        libc.so.6 => /lib/i686/libc.so.6 (0x43a41000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x43841000)

/server/http/binary/modules/libphp4.so:
        libmysqlclient.so.12 => /usr/lib/libmysqlclient.so.12 (0x4dd43000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4dd7b000)
        libssl.so.2 => /lib/libssl.so.2 (0x4dda8000)
        libcrypto.so.2 => /lib/libcrypto.so.2 (0x4ddd8000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4deac000)
        libm.so.6 => /lib/i686/libm.so.6 (0x4debe000)
        libdl.so.2 => /lib/libdl.so.2 (0x4dee0000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4dee4000)
        libc.so.6 => /lib/i686/libc.so.6 (0x4def9000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4e028000)
        libnss_files.so.2 => /lib/libnss_files.so.2 (0x4e036000)
        libnss_dns.so.2 => /lib/libnss_dns.so.2 (0x4e040000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x15cb0000)
copying the required libraries ...


mkdir server
ln -s ../ server/http


mkdir dev
/dev/MAKEDEV -d /server/http/dev null
/dev/MAKEDEV -d /server/http/dev zero
/dev/MAKEDEV -d /server/http/dev urandom

mkdir var/run/ -p
mkdir var/empty -p

mkdir etc
cat /etc/passwd | grep nobody > /server/http/etc/passwd
cat /etc/group | grep nogroup > /server/http/etc/group
cat /etc/group | grep www >> /server/http/etc/group


chroot /server/http /binary/sbin/httpd

gives warning about not being able to determin fully qualified name (needs /etc/hosts and /etc/resolv.conf)


mkdir tmp
chmod 777 tmp
chmod +t tmp


now everything works except database connect ... seems like there's missing something for that ... and mail of course ... probably it's not worth being chrooted ...

unSpawn 01-21-2003 12:34 PM
Damm, you'll be Conan The Librarian if you don't stop documenting stuff that neatly :-]
Connect, wasn't that the /var/lib/mysql/mysql.sock outside the chroot? Socket dir 777 permission? For mail read your mail, maybe got a solution.

markus1982 01-21-2003 01:09 PM
Regarding MySQL it's chrooted itself in a different chroot path *g*. So either chroot it also to that path (which I don't like to do since the mysql chroot is kind of pretty secured set up and the apache chroot would be a bit more insecure i suppose) ... I'll download FreeBSD 5.0 now BTW :-)

I'm not a librarian :-P

kernelphr34k 01-29-2003 05:13 AM
I get this error when I enter

"chmod 511 /server/http/binary/sbin/httpd"

ERROR:
chmod: failed to get attributes of `/server/http/binary/sbin/httpd': No such file or directory

I can't finder the "server" dir anywhere... :(


*EDIT*

Looks like I got around it, and right now I'm doing the install of PHP. I "of course" had to modify the locations to the different files and where the conf file was, but I think I got it now!

GREAT WORK on the right up!

Thanx!


All times are GMT -5. The time now is 04:24 AM.