You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "--[ UxBoD ]--" <ux...@splatnix.net> on 2011/04/20 01:47:42 UTC
[users@httpd] Chroot a virtual host
Hi,
I have noticed that when running Joomla, or in-fact any browsing capable PHP code, I am able to navigate above my virtual host document root and look at other virtual host files.
How would one stop this ? I have taken a look at mod_chroot but that does not seem to work as ChrootDir can only be used in the main configuration and not in the VirtualHost directive.
For reference I am running Apache 2.2.17.
--
Thanks, Phil
Re: [users@httpd] Chroot a virtual host
Posted by Mark Montague <ma...@catseye.org>.
On April 19, 2011 19:47 , "--[ UxBoD ]--" <ux...@splatnix.net> wrote:
> I have noticed that when running Joomla, or in-fact any browsing capable PHP code, I am able to navigate above my virtual host document root and look at other virtual host files.
>
> How would one stop this ? I have taken a look at mod_chroot but that does not seem to work as ChrootDir can only be used in the main configuration and not in the VirtualHost directive.
As an alternative to chroot, you could use privilege separation to
achieve what you want, setting up each virtual host to execute PHP code
as a different user from all other virtual hosts' users.
There are many ways to implement privilege separation, see
http://wiki.apache.org/httpd/PrivilegeSeparation My favorite way is
to use FastCGI, although I personally use mod_proxy_fcgi for this rather
than mod_fcgid.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
----- Original Message -----
> Hi,
> Some times ago I played with exaclty your configuration.
>
> If you strace the httpd process you can see that it's searching some
> files under /usr/share related to date and time.
> Here an extract of my chroot with files Icopied under my chroot
>
> /chroot/usr/share/zoneinfo/Europe/Rome
> /chroot/usr/share/zoneinfo/zone.tab
>
> Hope this helps.
> Marco
>
> On Fri, May 13, 2011 at 9:35 AM, --[ UxBoD ]-- <ux...@splatnix.net>
> wrote:
> > ----- Original Message -----
> >> Hello,
> >>
> >> On 20.04.11 00:47, --[ UxBoD ]-- wrote:
> >> > I have noticed that when running Joomla, or in-fact any browsing
> >> > capable
> >> > PHP code, I am able to navigate above my virtual host document
> >> > root
> >> > and
> >> > look at other virtual host files.
> >> >
> >> > How would one stop this ? I have taken a look at mod_chroot but
> >> > that does
> >> > not seem to work as ChrootDir can only be used in the main
> >> > configuration
> >> > and not in the VirtualHost directive.
> >>
> >> just a 1.5 months ago this question was asked and (imho) answered.
> >> Usually the PHP scripts are run under the same user apache runs
> >> as,
> >> so they
> >> have the same permissions.
> >>
> >> You can limit files which can a PHP script access by using PHP
> >> directives
> >> open_basedir and doc_root.
> >>
> >> You can run peruses MPM wich apathe 2.2.
> >>
> >> You can also run PHP as CGI using suexec, but that's a bit
> >> ineffective.
> >> I don't know how does FastCGI work.
> >>
> >
> > I managed to get Joomla working, kind of, in an Apache 2.2 chroot
> > but then I hit a problem with JDate not working so I raised
> > http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25870
> >
> > I have now switched to trying to get SuExec and FCGI working but
> > hitting an issue with:
> >
> > [Fri May 13 08:29:29 2011] [warn] [client XXXXXXXXXXXX]
> > (104)Connection reset by peer: mod_fcgid: error reading data from
> > FastCGI server
> > [Fri May 13 08:29:29 2011] [error] [client XXXXXXXXXXX] Premature
> > end of script headers: test.php
> >
> > Though will post this as a separate thread.
Hi Marco,
I shall certainly give that a try :) I am debating which is going to be the easier to support long term; chroot or SuExec&FCGI and which will offer the greater degree of security.
--
Thanks, Phil
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
Posted by Marco Pizzoli <ma...@gmail.com>.
Hi,
Some times ago I played with exaclty your configuration.
If you strace the httpd process you can see that it's searching some
files under /usr/share related to date and time.
Here an extract of my chroot with files Icopied under my chroot
/chroot/usr/share/zoneinfo/Europe/Rome
/chroot/usr/share/zoneinfo/zone.tab
Hope this helps.
Marco
On Fri, May 13, 2011 at 9:35 AM, --[ UxBoD ]-- <ux...@splatnix.net> wrote:
> ----- Original Message -----
>> Hello,
>>
>> On 20.04.11 00:47, --[ UxBoD ]-- wrote:
>> > I have noticed that when running Joomla, or in-fact any browsing
>> > capable
>> > PHP code, I am able to navigate above my virtual host document root
>> > and
>> > look at other virtual host files.
>> >
>> > How would one stop this ? I have taken a look at mod_chroot but
>> > that does
>> > not seem to work as ChrootDir can only be used in the main
>> > configuration
>> > and not in the VirtualHost directive.
>>
>> just a 1.5 months ago this question was asked and (imho) answered.
>> Usually the PHP scripts are run under the same user apache runs as,
>> so they
>> have the same permissions.
>>
>> You can limit files which can a PHP script access by using PHP
>> directives
>> open_basedir and doc_root.
>>
>> You can run peruses MPM wich apathe 2.2.
>>
>> You can also run PHP as CGI using suexec, but that's a bit
>> ineffective.
>> I don't know how does FastCGI work.
>>
>
> I managed to get Joomla working, kind of, in an Apache 2.2 chroot but then I hit a problem with JDate not working so I raised http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25870
>
> I have now switched to trying to get SuExec and FCGI working but hitting an issue with:
>
> [Fri May 13 08:29:29 2011] [warn] [client XXXXXXXXXXXX] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
> [Fri May 13 08:29:29 2011] [error] [client XXXXXXXXXXX] Premature end of script headers: test.php
>
> Though will post this as a separate thread.
> --
> Thanks, Phil
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
----- Original Message -----
> Hello,
>
> On 20.04.11 00:47, --[ UxBoD ]-- wrote:
> > I have noticed that when running Joomla, or in-fact any browsing
> > capable
> > PHP code, I am able to navigate above my virtual host document root
> > and
> > look at other virtual host files.
> >
> > How would one stop this ? I have taken a look at mod_chroot but
> > that does
> > not seem to work as ChrootDir can only be used in the main
> > configuration
> > and not in the VirtualHost directive.
>
> just a 1.5 months ago this question was asked and (imho) answered.
> Usually the PHP scripts are run under the same user apache runs as,
> so they
> have the same permissions.
>
> You can limit files which can a PHP script access by using PHP
> directives
> open_basedir and doc_root.
>
> You can run peruses MPM wich apathe 2.2.
>
> You can also run PHP as CGI using suexec, but that's a bit
> ineffective.
> I don't know how does FastCGI work.
>
I managed to get Joomla working, kind of, in an Apache 2.2 chroot but then I hit a problem with JDate not working so I raised http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25870
I have now switched to trying to get SuExec and FCGI working but hitting an issue with:
[Fri May 13 08:29:29 2011] [warn] [client XXXXXXXXXXXX] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Fri May 13 08:29:29 2011] [error] [client XXXXXXXXXXX] Premature end of script headers: test.php
Though will post this as a separate thread.
--
Thanks, Phil
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
Hello,
On 20.04.11 00:47, --[ UxBoD ]-- wrote:
> I have noticed that when running Joomla, or in-fact any browsing capable
> PHP code, I am able to navigate above my virtual host document root and
> look at other virtual host files.
>
> How would one stop this ? I have taken a look at mod_chroot but that does
> not seem to work as ChrootDir can only be used in the main configuration
> and not in the VirtualHost directive.
just a 1.5 months ago this question was asked and (imho) answered.
Usually the PHP scripts are run under the same user apache runs as, so they
have the same permissions.
You can limit files which can a PHP script access by using PHP directives
open_basedir and doc_root.
You can run peruses MPM wich apathe 2.2.
You can also run PHP as CGI using suexec, but that's a bit ineffective.
I don't know how does FastCGI work.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
----- Original Message -----
> ----- Original Message -----
> > Hi,
> >
> > I have noticed that when running Joomla, or in-fact any browsing
> > capable PHP code, I am able to navigate above my virtual host
> > document root and look at other virtual host files.
> >
> > How would one stop this ? I have taken a look at mod_chroot but
> > that
> > does not seem to work as ChrootDir can only be used in the main
> > configuration and not in the VirtualHost directive.
> >
> > For reference I am running Apache 2.2.17.
>
> I have tried to create a second instance of HTTP, running on port
> 8080, using the following conf:
>
> LoadModule chroot_module modules/mod_chroot.so
> LoadModule headers_module modules/mod_headers.so
> LoadModule rewrite_module modules/mod_rewrite.so
> LoadModule expires_module modules/mod_expires.so
> LoadModule auth_basic_module modules/mod_auth_basic.so
> LoadModule php5_module modules/libphp5.so
> LoadModule deflate_module modules/mod_deflate.so
>
> LoadFile /lib64/libnss_dns.so.2
>
> AddHandler php5-script php
>
> Listen 8080
>
> ChrootDir /www/somevhost.co.uk
> ServerRoot /
> DocumentRoot /htdocs
>
> RequestHeader Set Host www.somevhost.co.uk
> PidFile /var/run/apache2.pid
> Timeout 300
> KeepAlive On
> MaxKeepAliveRequests 100
> KeepAliveTimeout 15
>
> User somevhost.co.uk
> Group somevhost.co.uk
>
> HostnameLookups Off
> LogLevel warn
>
> ErrorLog /logs/error.log
> CustomLog /logs/access.log combined
>
> <IfModule dir_module>
> DirectoryIndex index.html index.php
> </IfModule>
>
> AccessFileName .htaccess
>
> <Files ~ "^\.ht">
> Order allow,deny
> Deny from all
> </Files>
>
> <Directory /htdocs>
> Order deny,allow
> Allow from all
> AllowOverride All
> </Directory>
>
> Though when I run :-
>
> /usr/local/apache/bin/httpd -f /www/somevhost.co.uk/conf/apache2.conf
> -k start
>
> it complains that it cannot find the DocumentRoot directory which
> would suggest that the Chroot is not taking place. If I use
> absolute paths then HTTPD does indeed start but a phpinfo() returns
> the path as being /www/somevhost.co.uk/htdocs instead of /htdocs.
>
> Any ideas what I could be doing wrong please ?
Finally got this to work as it appears to be a bug in Apache and you have to create a fake root eg. /www/somevhost.co.uk/www.
What I am struggling with is that the Joomla site works fine until you come to try and install a component or module. It loads up to 100% and then it just says it cannot install. All the permissions look fine and it was working before switching to a chroot environment. Any thoughts ?
--
Thanks, Phil
Re: [users@httpd] Chroot a virtual host
Posted by "--[ UxBoD ]--" <ux...@splatnix.net>.
----- Original Message -----
> Hi,
>
> I have noticed that when running Joomla, or in-fact any browsing
> capable PHP code, I am able to navigate above my virtual host
> document root and look at other virtual host files.
>
> How would one stop this ? I have taken a look at mod_chroot but that
> does not seem to work as ChrootDir can only be used in the main
> configuration and not in the VirtualHost directive.
>
> For reference I am running Apache 2.2.17.
I have tried to create a second instance of HTTP, running on port 8080, using the following conf:
LoadModule chroot_module modules/mod_chroot.so
LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule expires_module modules/mod_expires.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule php5_module modules/libphp5.so
LoadModule deflate_module modules/mod_deflate.so
LoadFile /lib64/libnss_dns.so.2
AddHandler php5-script php
Listen 8080
ChrootDir /www/somevhost.co.uk
ServerRoot /
DocumentRoot /htdocs
RequestHeader Set Host www.somevhost.co.uk
PidFile /var/run/apache2.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
User somevhost.co.uk
Group somevhost.co.uk
HostnameLookups Off
LogLevel warn
ErrorLog /logs/error.log
CustomLog /logs/access.log combined
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
<Directory /htdocs>
Order deny,allow
Allow from all
AllowOverride All
</Directory>
Though when I run :-
/usr/local/apache/bin/httpd -f /www/somevhost.co.uk/conf/apache2.conf -k start
it complains that it cannot find the DocumentRoot directory which would suggest that the Chroot is not taking place. If I use absolute paths then HTTPD does indeed start but a phpinfo() returns the path as being /www/somevhost.co.uk/htdocs instead of /htdocs.
Any ideas what I could be doing wrong please ?
--
Thanks, Phil