chrooting apache with php support - sendmail problems
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
chrooting apache with php support - sendmail problems
I'm currently chrooting apache v2.043, php v4.3.0 and there is a problem with the sendmail part. I copied the required libraries and configuration files for sendmail to work properly. I also created a mque directory ... and well if I for instance do:
chroot /server/http /usr/sbin/sendmail -bd &
I can CONNECT to it and everything works ... I can send emails and they get in the /server/http/var/spool/mque directory ... so everything works just fine ... but with the php part it doesn't work. the mail-function doesn't put ANYTHING in the mail spool ... and since sendmail itself is running with the above chroot command and works I'm out of ideas ... I double checked everything I could think of already.
Permissions? Is PHP allowed to do $fp popen('/usr/sbin/sendmail etc, etc? Doesn't sendmail accept because of missing parameters/wrong user? Anything in the logfiles? Are you running Apache + PHP + Sendmail in the same chroot (stupid question, I know)?
First of all Apache and sendmail are of course in the same chroot ... otherwise all of this wouldn't make any sense :-)
You know what I will do now? I will set up all of this AGAIN and be very carefully before doing something. I mean this won't be limited to just the sendmail part just with everything. I will check the permissions, etc ... I will make a short doc how I set everything up and post that here ...
The thing is the exactly same configuration works if you run it without the chroot ... so basically it should work :-)
PHP configuration items I changed:
And lastly the php configuration:
Code:
[PHP]
; Options have been set keeping security in mind
; Check http://www.openna.com/documentations.../php/index.php
; for more information
...
;
; Safe Mode
;
safe_mode = On
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off
; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir = "/server/http/binary/share/pear"
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir = "/var/empty/"
; Setting certain environment variables may be a potential security breach.
; This directive contains a comma-delimited list of prefixes. In Safe Mode,
; the user may only alter environment variables whose names begin with the
; prefixes supplied here. By default, users will only be able to set
; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
;
; Note: If this directive is empty, PHP will let the user modify ANY
; environment variable!
safe_mode_allowed_env_vars = PHP_
; This directive contains a comma-delimited list of environment variables that
; the end user won't be able to change using putenv(). These variables will be
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "/server/http/binary/share/pear:/server/http/htdocs/virtual_hosts/"
register_globals = Off
...
;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
; UNIX: "/path1:/path2"
;include_path = ".:/php/includes"
include_path = "/server/http/binary/lib/php/"
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"
; The root of the PHP pages, used only if nonempty.
; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
; if you are running php as a CGI under any web server (other than IIS)
; see documentation for security issues. The alternate is to use the
; cgi.force_redirect configuration below
doc_root = "/server/http/htdocs/virtual_hosts/"
; The directory under which PHP opens the script using /~usernamem used only
; if nonempty.
user_dir =
; Directory in which the loadable extensions (modules) reside.
extension_dir = ./
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
; disabled on them.
enable_dl = Off
; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers. Left undefined, PHP turns this on by default. You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 1
; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
; will look for to know it is OK to continue execution. Setting this variable MAY
; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
; cgi.redirect_status_env = ;
; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
; security tokens of the calling client. This allows IIS to define the
; security context that the request runs under. mod_fastcgi under Apache
; does not currently support this feature (03/17/2002)
; Set to 1 if running under IIS. Default is zero.
; fastcgi.impersonate = 1;
; cgi.rfc2616_headers configuration option tells PHP what type of headers to
; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
; is supported by Apache. When this option is set to 1 PHP will send
; RFC2616 compliant header.
; Set to 1 if running under IIS. Default is zero.
;cgi.rfc2616_headers = 0
...
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On
; Define the anonymous ftp password (your email address)
;from="john@doe.com"
; Define the user agent for php to send
;user_agent="PHP"
; Default timeout for socket based streams (seconds)
default_socket_timeout = 60
; If your scripts have to deal with files from Macintosh systems,
; or you are running on a Mac and need to deal with files from
; unix or win32 systems, setting this flag will cause PHP to
; automatically detect the EOL character in those files so that
; fgets() and file() will work regardless of the source of the file.
; auto_detect_line_endings = Off
...
[mail function]
; For Win32 only.
SMTP = localhost
; For Win32 only.
sendmail_from = me@localhost.com
; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
;sendmail_path =
...
[MySQL]
; Allow or prevent persistent links.
mysql.allow_persistent = Off
; Maximum number of persistent links. -1 means no limit.
mysql.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
mysql.max_links = -1
; Default port number for mysql_connect(). If unset, mysql_connect() will use
; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
; at MYSQL_PORT.
mysql.default_port =
; Default socket name for local MySQL connects. If empty, uses the built-in
; MySQL defaults.
mysql.default_socket = /tmp/mysql.sock
; Default host for mysql_connect() (doesn't apply in safe mode).
mysql.default_host =
; Default user for mysql_connect() (doesn't apply in safe mode).
mysql.default_user =
; Default password for mysql_connect() (doesn't apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password")
; and reveal this password! And of course, any users with read access to this
; file will be able to reveal the password as well.
mysql.default_password =
; Maximum time (in secondes) for connect timeout. -1 means no limimt
mysql.connect_timeout = -1
; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
; SQL-Erros will be displayed.
mysql.trace_mode = Off
gives warning about not being able to determin fully qualified name (needs /etc/hosts and /etc/resolv.conf)
mkdir tmp
chmod 777 tmp
chmod +t tmp
now everything works except database connect ... seems like there's missing something for that ... and mail of course ... probably it's not worth being chrooted ...
Damm, you'll be Conan The Librarian if you don't stop documenting stuff that neatly :-]
Connect, wasn't that the /var/lib/mysql/mysql.sock outside the chroot? Socket dir 777 permission? For mail read your mail, maybe got a solution.
Regarding MySQL it's chrooted itself in a different chroot path *g*. So either chroot it also to that path (which I don't like to do since the mysql chroot is kind of pretty secured set up and the apache chroot would be a bit more insecure i suppose) ... I'll download FreeBSD 5.0 now BTW :-)
ERROR:
chmod: failed to get attributes of `/server/http/binary/sbin/httpd': No such file or directory
I can't finder the "server" dir anywhere...
*EDIT*
Looks like I got around it, and right now I'm doing the install of PHP. I "of course" had to modify the locations to the different files and where the conf file was, but I think I got it now!
GREAT WORK on the right up!
Thanx!
Last edited by kernelphr34k; 01-29-2003 at 05:57 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.