LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-19-2003, 06:33 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
chrooting apache with php support - sendmail problems


I'm currently chrooting apache v2.043, php v4.3.0 and there is a problem with the sendmail part. I copied the required libraries and configuration files for sendmail to work properly. I also created a mque directory ... and well if I for instance do:

chroot /server/http /usr/sbin/sendmail -bd &

I can CONNECT to it and everything works ... I can send emails and they get in the /server/http/var/spool/mque directory ... so everything works just fine ... but with the php part it doesn't work. the mail-function doesn't put ANYTHING in the mail spool ... and since sendmail itself is running with the above chroot command and works I'm out of ideas ... I double checked everything I could think of already.

Anybody out for help ?
 
Old 01-21-2003, 10:56 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Permissions? Is PHP allowed to do $fp popen('/usr/sbin/sendmail etc, etc? Doesn't sendmail accept because of missing parameters/wrong user? Anything in the logfiles? Are you running Apache + PHP + Sendmail in the same chroot (stupid question, I know)?
 
Old 01-21-2003, 11:06 AM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 45
First of all Apache and sendmail are of course in the same chroot ... otherwise all of this wouldn't make any sense :-)

You know what I will do now? I will set up all of this AGAIN and be very carefully before doing something. I mean this won't be limited to just the sendmail part just with everything. I will check the permissions, etc ... I will make a short doc how I set everything up and post that here ...


The thing is the exactly same configuration works if you run it without the chroot ... so basically it should work :-)
 
Old 01-21-2003, 11:19 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Say, if you tar -cjf the whole chroot, how large would that be? Just being curious if it's portable :-]
 
Old 01-21-2003, 11:23 AM   #5
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 45
Just the tar would be about 20 MB without compression ... I bet with bz2 compression about 5-6 MB. I will do that once I set up everything again ...
 
Old 01-21-2003, 11:32 AM   #6
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 45
Okay since I wanted to document things a bit here is like I started ... like the compile process of Apache v2.0.44:

Code:
export CFLAGS="-O2 -march=i586 -DDEFAULT_SERVER_LIMIT=1024"
./configure \
	--prefix=/server/http/binary \
	--bindir=/server/http/binary/bin \
	--datadir=/server/http/data \
	--libexecdir=/server/http/binary/modules \
	--mandir=/usr/share/man \
	--sbindir=/server/http/binary/sbin \
	--sysconfdir=/server/http/conf \
	--enable-access=shared \
	--enable-actions=shared \
	--enable-alias=shared \
	--disable-asis \
	--enable-auth=shared \
	--enable-auth-anon=shared \
	--enable-autoindex=shared \
	--enable-cgi=shared \
	--enable-cgid=shared \
	--disable-charset-lite \
	--enable-dir=shared \
	--enable-env=shared \
	--disable-imap \
	--enable-include=shared \
	--enable-log-config=shared \
	--enable-mime=shared \
	--enable-negotiation=shared \
	--enable-rewrite=shared \
	--enable-setenvif=shared \
	--enable-so \
	--enable-ssl=shared \
	--enable-status=shared \
	--enable-suexec \
	--disable-userdir \
	--enable-vhost-alias=shared \
	--enable-static-support=shared \
	--with-mpm=prefork \
	--with-ssl \
	--with-suexec \
	--with-suexec-bin=/server/binary/sbin \
	--with-suexec-caller=nobody \
	--with-suexec-docroot=/server/http/htdocs \
	--with-suexec-logfile=/server/http/logs/suexec.log \
	--with-suexec-uidmin=500 --with-suexec-gidmin=500 \
	--with-z
make
make install
chmod 511 /server/http/binary/sbin/httpd
strip /server/http/binary/bin/* /server/http/binary/sbin/* /server/http/binary/modules/*
rm -rf /server/http/binary/logs /server/http/conf /server/http/data/htdocs
cp -r /root/install/software/server/http/conf/ /server/http/conf
cp -p -r /server/http.old/htdocs /server/http
cp -p -r /server/http.old/logs /server/http
chmod 750 /server/http/htdocs -R

Afterwards I built PHP like that:
Code:
export CFLAGS="-O2 -march=i586"
./configure \
	--prefix=/server/http/binary \
	--enable-bcmath \
	--enable-calendar \
	--disable-debug \
	--enable-dio \
	--enable-discard-path \
	--enable-force-cgi-redirect \
	--enable-fast-cgi \
	--enable-gd-native-ttf \
	--enable-inline-optimization \
	--enable-magic-quotes \
	--enable-memory-limit \
	--disable-path-info-check \
	--disable-posix \
	--disable-rpath \
	--enable-safe-mode \
	--enable-sysvsem \
	--enable-sysvshm \
	--enable-track-vars \
	--with-mysql=/usr \
	--with-mysql-sock=/tmp/mysql.sock \
	--with-openssl \
	--with-pic \
	--with-xml \
	--with-apxs2=/server/http/binary/sbin/apxs \
	--with-config-file-path=/server/http/conf
make
make install
strip /server/http/binary/bin/* /server/http/binary/sbin/* /server/http/binary/modules/*

This gives me a basic configuration ... optimized for the things I really will need :-)


So the httpd.conf is following (if apache is NOT chrooted):
Code:
# Apache v2.0.44 configuration
# ========================================================================
# SECTION 01:	GLOBAL CONFIGURATION
# ========================================================================
ServerAdmin		root@localhost
ServerRoot		/server/http
ServerSignature		EMail

ErrorLog		logs/error.log
LogLevel		warn
Listen			80
Listen			443
PidFile			/var/run/apache.pid
ExtendedStatus		On

AddDefaultCharset	ISO-8859-1
DefaultType		text/plain


	# ----------------------------------------------------------------
	# error pages in different languages
	# ----------------------------------------------------------------
	Alias /error/ "/server/http/data/error/"

		<Directory "/server/http/data/error">
			AddHandler		type-map var
			AddOutputFilter		Includes html
			AllowOverride		None
			ForceLanguagePriority	Prefer Fallback
			LanguagePriority 	de en es fr it nl sv
			Options			IncludesNoExec
			Order			Allow,Deny
			Allow			from All
		</Directory>

	ErrorDocument	400	/error/HTTP_BAD_REQUEST.html.var
	ErrorDocument	401	/error/HTTP_UNAUTHORIZED.html.var
	ErrorDocument	403	/error/HTTP_FORBIDDEN.html.var
	ErrorDocument	404	/error/HTTP_NOT_FOUND.html.var
	ErrorDocument	405	/error/HTTP_METHOD_NOT_ALLOWED.html.var
	ErrorDocument	408	/error/HTTP_REQUEST_TIME_OUT.html.var
	ErrorDocument	410	/error/HTTP_GONE.html.var
	ErrorDocument	411	/error/HTTP_LENGTH_REQUIRED.html.var
	ErrorDocument	412	/error/HTTP_PRECONDITION_FAILED.html.var
	ErrorDocument	413	/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
	ErrorDocument	414	/error/HTTP_REQUEST_URI_TOO_LARGE.html.var
	ErrorDocument	415	/error/HTTP_SERVICE_UNAVAILABLE.html.var
	ErrorDocument	500	/error/HTTP_INTERNAL_SERVER_ERROR.html.var
	ErrorDocument	501	/error/HTTP_NOT_IMPLEMENTED.html.var
	ErrorDocument	502	/error/HTTP_BAD_GATEWAY.html.var
	ErrorDocument	503	/error/HTTP_SERVICE_UNAVAILABLE.html.var
	ErrorDocument	506	/error/HTTP_VARIANT_ALSO_VARIES.html.var
	# ----------------------------------------------------------------


	# ----------------------------------------------------------------
	# modules - dynamic shared objects (DSO)
	# ----------------------------------------------------------------
	LoadModule access_module	binary/modules/mod_access.so
	LoadModule actions_module	binary/modules/mod_actions.so
	LoadModule alias_module		binary/modules/mod_alias.so
	LoadModule auth_anon_module	binary/modules/mod_auth_anon.so
	LoadModule auth_module		binary/modules/mod_auth.so
	LoadModule autoindex_module	binary/modules/mod_autoindex.so
	LoadModule cgi_module		binary/modules/mod_cgi.so
	LoadModule cgid_module		binary/modules/mod_cgid.so
	LoadModule dir_module		binary/modules/mod_dir.so
	LoadModule env_module		binary/modules/mod_env.so
	LoadModule include_module	binary/modules/mod_include.so
	LoadModule log_config_module	binary/modules/mod_log_config.so
	LoadModule mime_module		binary/modules/mod_mime.so
	LoadModule negotiation_module	binary/modules/mod_negotiation.so
	LoadModule php4_module		binary/modules/libphp4.so
	LoadModule rewrite_module	binary/modules/mod_rewrite.so
	LoadModule setenvif_module	binary/modules/mod_setenvif.so
	LoadModule ssl_module		binary/modules/mod_ssl.so
	LoadModule status_module	binary/modules/mod_status.so
	LoadModule vhost_alias_module	binary/modules/mod_vhost_alias.so
	# ----------------------------------------------------------------


	# ----------------------------------------------------------------
	# performance features
	# ----------------------------------------------------------------
	MaxKeepAliveRequests	000
	KeepAlive		On
	KeepAliveTimeout	010
	TimeOut			120

		<IfModule prefork.c>
			MaxClients		0512
			MaxRequestsPerChild	0000
			MaxSpareServers		0010
			MinSpareServers		0005
			ServerLimit		1024
			StartServers		0005
		</IfModule>


		<IfModule mod_dir.c>
			DirectoryIndex		index.html index.htm index.php
		</IfModule>

	HostnameLookups		Off
	UseCanonicalName	Off
	# ----------------------------------------------------------------


	# ----------------------------------------------------------------
	# security features
	# ----------------------------------------------------------------
#	ServerTokens		ProductOnly
	ServerTokens		Full

	User			nobody
	Group			www


		# --------------------------------------------------------
		# very restrictive default directory settings
		# --------------------------------------------------------
		<Directory />
			AllowOverride		None
			Options			None
			Order			Deny,Allow
			Deny			from All
		</Directory>
		# --------------------------------------------------------


		# --------------------------------------------------------
		# do not let anybody view .ht* files (.htaccess, etc)
		# --------------------------------------------------------
		<Files ~ "^\.ht"> 
			Order			Deny,Allow
			Deny			from All
		</Files>
		# --------------------------------------------------------


		# --------------------------------------------------------
		# general SSL configuration
		# --------------------------------------------------------
		<IfModule mod_ssl.c>
			SSLMutex		sem
			SSLPassPhraseDialog	builtin
			SSLSessionCache		none
			SSLSessionCacheTimeout	300
			SSLRandomSeed startup	file:/dev/urandom 1024
			SSLRandomSeed connect	file:/dev/urandom 1024
		</IfModule>
		# --------------------------------------------------------
	# ----------------------------------------------------------------




<IfModule mod_alias.c>
	# ----------------------------------------------------------------
	# icons (for directory listing)
	# ----------------------------------------------------------------
	Alias /icons/	"/server/http/data/icons/"
	<Directory "/server/http/data/icons">
		AllowOverride None
		Options Indexes MultiViews
		Order allow,deny
		Allow from all
	</Directory>
	# ----------------------------------------------------------------
</IfModule>



<IfModule mod_autoindex.c>
	IndexOptions		FancyIndexing versionSort
	IndexIgnore		.??* *~ *# HEADER* README* RCS CVS *,v *,t

	# ----------------------------------------------------------------
	# icons for the different file types
	# ----------------------------------------------------------------
	AddIconByEncoding	(CMP,/icons/compressed.gif)	x-compress x-gzip

	AddIconByType		(TXT,/icons/text.gif)		text/*
	AddIconByType		(IMG,/icons/image2.gif)		image/*
	AddIconByType		(SND,/icons/sound2.gif)		audio/*
	AddIconByType		(VID,/icons/movie.gif)		video/*

	AddIcon			/icons/binary.gif		.bin .exe
	AddIcon			/icons/binhex.gif		.hqx
	AddIcon			/icons/tar.gif			.tar
	AddIcon			/icons/world2.gif		.wrl .wrl.gz .vrml .vrm .iv
	AddIcon			/icons/compressed.gif		.Z .z .tgz .gz .zip
	AddIcon			/icons/a.gif			.ps .ai .eps
	AddIcon			/icons/layout.gif		.html .shtml .htm .pdf
	AddIcon			/icons/text.gif			.txt
	AddIcon			/icons/c.gif			.c
	AddIcon			/icons/p.gif			.pl .py
	AddIcon			/icons/f.gif			.for
	AddIcon			/icons/dvi.gif			.dvi
	AddIcon			/icons/uuencoded.gif		.uu
	AddIcon			/icons/script.gif		.conf .sh .shar .csh .ksh .tcl
	AddIcon			/icons/tex.gif			.tex
	AddIcon			/icons/bomb.gif			core

	AddIcon			/icons/back.gif			..
	AddIcon			/icons/hand.right.gif		README
	AddIcon			/icons/folder.gif		^^DIRECTORY^^
	AddIcon			/icons/blank.gif		^^BLANKICON^^

	DefaultIcon		/icons/unknown.gif
	# ----------------------------------------------------------------
</IfModule>



<IfModule mod_cgid.c>
	ScriptSock	logs/cgi.sock
</IfModule>



<IfModule mod_log_config.c>
	LogFormat	"%{User-agent}i" agent
	LogFormat	"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
	LogFormat	"%h %l %u %t \"%r\" %>s %b" common
	LogFormat	"%{Referer}i -> %U" referer
	LogFormat	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ssl_request
</IfModule>



<IfModule mod_mime.c>
	# ----------------------------------------------------------------
	# language configuration
	# ----------------------------------------------------------------
	AddLanguage	ca	.ca
	AddLanguage	cz	.cz
	AddLanguage	da	.dk
	AddLanguage	de	.de
	AddLanguage	el	.el
	AddLanguage	en	.en
	AddLanguage	es	.es
	AddLanguage	et	.et
	AddLanguage	fr	.fr
	AddLanguage	he	.he
	AddLanguage	hr	.hr
	AddLanguage	it	.it
	AddLanguage	ja	.ja
	AddLanguage	ko	.ko
	AddLanguage	ltz	.ltz
	AddLanguage	nl	.nl
	AddLanguage	nn	.nn
	AddLanguage	no	.no
	AddLanguage	pl	.po
	AddLanguage	pt	.pt
	AddLanguage	pt-br	.pt-br
	AddLanguage	ru	.ru
	AddLanguage	sv	.se
	AddLanguage	tw	.tw
	AddLanguage	zh-tw	.tw

	LanguagePriority	de en es fr da nl et el it ja ko no pl pt pt-br ltz ca sv tw
	ForceLanguagePriority	Prefer Fallback
	# ----------------------------------------------------------------


	# ----------------------------------------------------------------
	# mime types
	# ----------------------------------------------------------------
	TypesConfig	conf/mime.types

	AddEncoding	x-compress			Z
	AddEncoding	x-gzip				gz tgz

	AddType		application/x-httpd-php		.php
	AddType		application/x-httpd-php-source	.phps
	AddType		application/x-tar		.tgz
	AddType		image/x-icon			.ico
	# ----------------------------------------------------------------
</IfModule>



<IfModule mod_mime_magic.c>
	MIMEMagicFile	conf/magic
</IfModule>



<IfModule mod_setenvif.c>
	BrowserMatch	"Java/1\.0" force-response-1.0
	BrowserMatch	"JDK/1\.0" force-response-1.0
	BrowserMatch	"Microsoft Data Access Internet Publishing Provider" redirect-carefully
	BrowserMatch	"Mozilla/2" nokeepalive
	BrowserMatch	"MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
	BrowserMatch	"RealPlayer 4\.0" force-response-1.0
	BrowserMatch	"^WebDAVFS/1.[012]" redirect-carefully
	BrowserMatch	"^WebDrive" redirect-carefully
</IfModule>



<IfModule mod_status.c>
	<Location /server-status>
		SetHandler	server-status
		Order		Deny,Allow
		Deny		from All
		Allow		from 192.168.84.0/24
	</Location>
</IfModule>
# ========================================================================





# ========================================================================
# SECTION 02:	CONFIGURATION OF THE VIRTUAL HOSTS
# ========================================================================

	# ----------------------------------------------------------------
	# HTTP
	# ----------------------------------------------------------------

		# --------------------------------------------------------
		# Name-based virtual hosts
		# --------------------------------------------------------
		NameVirtualHost 192.168.84.254:80
		# --------------------------------------------------------

	Include conf/virtual_hosts/http/active
	# ----------------------------------------------------------------


	# ----------------------------------------------------------------
	# HTTPS
	# ----------------------------------------------------------------
	<IfModule mod_ssl.c>
		Include conf/virtual_hosts/https/active
	</IfModule>
	# ----------------------------------------------------------------
# ========================================================================

An example of a virtual host would be (conf/virtual_hosts/http/active):
Code:
# ------------------------------------------------------------------------
# VIRTUAL HOST CONFIGURATION FOR example.com
# ------------------------------------------------------------------------
<VirtualHost 192.168.84.254:80>
	ServerAdmin		webmaster@example.com
	ServerName		www.example.com
	ScriptAlias		/cgi-bin/	/server/http/htdocs/virtual_hosts/www.example.com/cgi-bin/
	SuexecUserGroup		www.example.com nogroup

	<Location />
		php_admin_value doc_root		"/server/http/htdocs/virtual_hosts/www.example.com/"
		php_admin_value	open_basedir	"/server/http/htdocs/virtual_hosts/www.example.com/:/server/http/binary/lib/php/"
	</Location>

	DocumentRoot		/server/http/htdocs/virtual_hosts/www.example.com
	CustomLog		logs/virtual_hosts/www.example.com/access.log combined
	ErrorLog		logs/virtual_hosts/www.example.com/error.log
</VirtualHost>

<Directory /server/http/htdocs/virtual_hosts/www.example.com>
	Order			Allow,Deny
	Allow			from All
</Directory>
# ------------------------------------------------------------------------
PHP configuration items I changed:
And lastly the php configuration:
Code:
[PHP]

; Options have been set keeping security in mind
; Check http://www.openna.com/documentations.../php/index.php
; for more information

...

;
; Safe Mode
;
safe_mode = On

; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off

; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir =	"/server/http/binary/share/pear"

; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir = "/var/empty/"

; Setting certain environment variables may be a potential security breach.
; This directive contains a comma-delimited list of prefixes.  In Safe Mode,
; the user may only alter environment variables whose names begin with the
; prefixes supplied here.  By default, users will only be able to set
; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
;
; Note:  If this directive is empty, PHP will let the user modify ANY
; environment variable!
safe_mode_allowed_env_vars = PHP_

; This directive contains a comma-delimited list of environment variables that
; the end user won't be able to change using putenv().  These variables will be
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH

; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "/server/http/binary/share/pear:/server/http/htdocs/virtual_hosts/"

register_globals = Off

...

;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;

; UNIX: "/path1:/path2"  
;include_path = ".:/php/includes"
include_path = "/server/http/binary/lib/php/"
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"

; The root of the PHP pages, used only if nonempty.
; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
; if you are running php as a CGI under any web server (other than IIS)
; see documentation for security issues.  The alternate is to use the
; cgi.force_redirect configuration below
doc_root = "/server/http/htdocs/virtual_hosts/"

; The directory under which PHP opens the script using /~usernamem used only
; if nonempty.
user_dir =

; Directory in which the loadable extensions (modules) reside.
extension_dir = ./

; Whether or not to enable the dl() function.  The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
; disabled on them.
enable_dl = Off

; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers.  Left undefined, PHP turns this on by default.  You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 1

; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape 
; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
; will look for to know it is OK to continue execution.  Setting this variable MAY
; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
; cgi.redirect_status_env = ;

; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
; security tokens of the calling client.  This allows IIS to define the
; security context that the request runs under.  mod_fastcgi under Apache
; does not currently support this feature (03/17/2002)
; Set to 1 if running under IIS.  Default is zero.
; fastcgi.impersonate = 1;

; cgi.rfc2616_headers configuration option tells PHP what type of headers to
; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
; is supported by Apache. When this option is set to 1 PHP will send
; RFC2616 compliant header.
; Set to 1 if running under IIS.  Default is zero.
;cgi.rfc2616_headers = 0 


...
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Define the anonymous ftp password (your email address)
;from="john@doe.com"

; Define the user agent for php to send
;user_agent="PHP"

; Default timeout for socket based streams (seconds)
default_socket_timeout = 60

; If your scripts have to deal with files from Macintosh systems,
; or you are running on a Mac and need to deal with files from
; unix or win32 systems, setting this flag will cause PHP to
; automatically detect the EOL character in those files so that
; fgets() and file() will work regardless of the source of the file.
; auto_detect_line_endings = Off


...

[mail function]
; For Win32 only.
SMTP = localhost

; For Win32 only.
sendmail_from = me@localhost.com

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
;sendmail_path =

...

[MySQL]
; Allow or prevent persistent links.
mysql.allow_persistent = Off

; Maximum number of persistent links.  -1 means no limit.
mysql.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  -1 means no limit.
mysql.max_links = -1

; Default port number for mysql_connect().  If unset, mysql_connect() will use
; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
; compile-time value defined MYSQL_PORT (in that order).  Win32 will only look
; at MYSQL_PORT.
mysql.default_port =

; Default socket name for local MySQL connects.  If empty, uses the built-in
; MySQL defaults.
mysql.default_socket = /tmp/mysql.sock

; Default host for mysql_connect() (doesn't apply in safe mode).
mysql.default_host = 

; Default user for mysql_connect() (doesn't apply in safe mode).
mysql.default_user =

; Default password for mysql_connect() (doesn't apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password")
; and reveal this password!  And of course, any users with read access to this
; file will be able to reveal the password as well.
mysql.default_password =

; Maximum time (in secondes) for connect timeout. -1 means no limimt
mysql.connect_timeout = -1

; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
; SQL-Erros will be displayed.
mysql.trace_mode = Off
 
Old 01-21-2003, 12:17 PM   #7
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 45
Running this configuration EVERYTHING works fine! Mailing, etc. Now I will document a bit how I chrooted Apache ...

1. checking which files (for this step i will ignore the libraries) are required by the httpd process:
ps auxw | grep httpd
lsof -p <httpd_pids>

/dev/zero
/dev/null

the log files as defined in httpd.conf, etc

2. determining the libraries needed for httpd and libphp.so

httpd:
Code:
/server/http/binary/sbin/httpd:
	libssl.so.2 => /lib/libssl.so.2 (0x43857000)
	libcrypto.so.2 => /lib/libcrypto.so.2 (0x43888000)
	libaprutil-0.so.0 => /server/http/binary/lib/libaprutil-0.so.0 (0x4395c000)
	libexpat.so.0 => /server/http/binary/lib/libexpat.so.0 (0x43970000)
	libapr-0.so.0 => /server/http/binary/lib/libapr-0.so.0 (0x4398c000)
	libm.so.6 => /lib/i686/libm.so.6 (0x439a9000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x439cb000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x439f9000)
	libdl.so.2 => /lib/libdl.so.2 (0x43a0e000)
	libpthread.so.0 => /lib/i686/libpthread.so.0 (0x43a11000)
	libc.so.6 => /lib/i686/libc.so.6 (0x43a41000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x43841000)

/server/http/binary/modules/libphp4.so:
	libmysqlclient.so.12 => /usr/lib/libmysqlclient.so.12 (0x4dd43000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x4dd7b000)
	libssl.so.2 => /lib/libssl.so.2 (0x4dda8000)
	libcrypto.so.2 => /lib/libcrypto.so.2 (0x4ddd8000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x4deac000)
	libm.so.6 => /lib/i686/libm.so.6 (0x4debe000)
	libdl.so.2 => /lib/libdl.so.2 (0x4dee0000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x4dee4000)
	libc.so.6 => /lib/i686/libc.so.6 (0x4def9000)
	libz.so.1 => /usr/lib/libz.so.1 (0x4e028000)
	libnss_files.so.2 => /lib/libnss_files.so.2 (0x4e036000)
	libnss_dns.so.2 => /lib/libnss_dns.so.2 (0x4e040000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x15cb0000)
copying the required libraries ...


mkdir server
ln -s ../ server/http


mkdir dev
/dev/MAKEDEV -d /server/http/dev null
/dev/MAKEDEV -d /server/http/dev zero
/dev/MAKEDEV -d /server/http/dev urandom

mkdir var/run/ -p
mkdir var/empty -p

mkdir etc
cat /etc/passwd | grep nobody > /server/http/etc/passwd
cat /etc/group | grep nogroup > /server/http/etc/group
cat /etc/group | grep www >> /server/http/etc/group


chroot /server/http /binary/sbin/httpd

gives warning about not being able to determin fully qualified name (needs /etc/hosts and /etc/resolv.conf)


mkdir tmp
chmod 777 tmp
chmod +t tmp


now everything works except database connect ... seems like there's missing something for that ... and mail of course ... probably it's not worth being chrooted ...
 
Old 01-21-2003, 12:34 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Damm, you'll be Conan The Librarian if you don't stop documenting stuff that neatly :-]
Connect, wasn't that the /var/lib/mysql/mysql.sock outside the chroot? Socket dir 777 permission? For mail read your mail, maybe got a solution.
 
Old 01-21-2003, 01:09 PM   #9
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 45
Regarding MySQL it's chrooted itself in a different chroot path *g*. So either chroot it also to that path (which I don't like to do since the mysql chroot is kind of pretty secured set up and the apache chroot would be a bit more insecure i suppose) ... I'll download FreeBSD 5.0 now BTW :-)

I'm not a librarian :-P
 
Old 01-29-2003, 05:13 AM   #10
kernelphr34k
LQ Newbie
 
Registered: Jan 2003
Location: Vegas
Distribution: Suse 9.3 / Custom Slack 10
Posts: 12

Rep: Reputation: 0
I get this error when I enter

"chmod 511 /server/http/binary/sbin/httpd"

ERROR:
chmod: failed to get attributes of `/server/http/binary/sbin/httpd': No such file or directory

I can't finder the "server" dir anywhere...


*EDIT*

Looks like I got around it, and right now I'm doing the install of PHP. I "of course" had to modify the locations to the different files and where the conf file was, but I think I got it now!

GREAT WORK on the right up!

Thanx!

Last edited by kernelphr34k; 01-29-2003 at 05:57 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chrooting Apache, JAIL is giving me problems xbaez Linux - Software 1 08-08-2005 10:14 AM
chrooting sendmail dominant Linux - Security 2 07-01-2005 04:43 AM
Php support with apache c00l Linux - Software 4 03-02-2005 04:30 PM
reinstalled apache, php, still no php support SuSE 8.2 hindenbergbaby Linux - Software 1 10-14-2003 01:42 PM
chrooting apache v2 (php, ssl, perl support) ; perl configuration markus1982 Linux - Security 3 01-26-2003 06:15 PM


All times are GMT -5. The time now is 03:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration