You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Gold, Samuel (Contractor)" <Sa...@disa.mil> on 2005/07/20 17:12:55 UTC
RE: [users@httpd] suexec with mod_chroot: "command not in docroot
"
Cwd is current working directory, it is an environment variable. At least
from what I understand. I am not sure what dwd is though. Have you tried
to use truss or strace to see if you are missing a command in your chrooted
environment? What OS are you using?
-----Original Message-----
From: dAniel hAhler [mailto:apache-users@thequod.de]
Sent: Wednesday, July 20, 2005 12:58 AM
To: users@httpd.apache.org
Subject: [users@httpd] suexec with mod_chroot: "command not in docroot"
Hi,
I've installed mod_chroot for Apache (2.0.53-Ubuntu), but have now problems
with suexec complaining:
[2005-07-20 06:28:13]: uid: (1003/xxxxx) gid: (1003/1003) cmd:
php4-fcgi-starter
[2005-07-20 06:28:13]: command not in docroot
(/fcgi-scripts/web2/php4-fcgi-starter)
php4-fcgi-starter is a script that should start php-fcgi (I'm using
mod_fastcgi).
My suexec-docroot is "/", because of mod_chroot:
# /usr/lib/apache2/suexec2 -V
-D AP_DOC_ROOT="/"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"
Therefor I have rebuild the Ubuntu package from source (got the error
"cannot
get docroot information (/var/www)" before).
>From suexec.c it is this part that throws the error:
if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
log_err("command not in docroot (%s/%s)\n", cwd, cmd);
exit(114);
}
I'm not sure, what cwd and dwd are set to, but it errors here.. :(
btw: this error message should be changed into something more verbose:
log_err("command (%s/%s) not in docroot (%s)\n", cwd, cmd, dwd); like some
of the others, too.
It is really frustrating and would be much easier in my humble opinion, if
suexec would have a chroot() functianality.
Do you have any suggestions? Is it a bug in suexec?
Thanks for any ideas and suggestions.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suexec with mod_chroot: "command not in docroot "
Posted by dAniel hAhler <ap...@thequod.de>.
Hi,
Thanks for all your help, it was a very stupid mistake of myself..
"/fcgi-scripts/.." still was not in the docroot, because the suexec2 in the
chroot was still the old one... :/
I thought I had hardlinked it there, but it seems to have been copied only.
Sorry.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] suexec with mod_chroot: "command not in docroot "
Posted by dAniel hAhler <ap...@thequod.de>.
On Wednesday 20 July 2005 17:12, Gold, Samuel (Contractor) wrote:
> Cwd is current working directory, it is an environment variable. At least
> from what I understand. I am not sure what dwd is though. Have you tried
> to use truss or strace to see if you are missing a command in your chrooted
> environment? What OS are you using?
I've used makejail to make sure that all libs are there. It does not seem to
be a lib thing IMHO.
I find it interesting what Joshua writes:
> Your problem is probably that getcwd is returning the full
> (non-chrooted) path to AP_DOC_ROOT inside the jail. I don't know how
> to get around that.
Does anybody have a idea, how I could test for that?
My other plan is to try sbox - it may handle the situation better.
Now, I'm rebuilding the Ubuntu apache2 package from source (the second time),
with a more informative error message (outputting dwd).
Let's see.
>
> -----Original Message-----
> From: dAniel hAhler [mailto:apache-users@thequod.de]
> Sent: Wednesday, July 20, 2005 12:58 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] suexec with mod_chroot: "command not in docroot"
>
>
> Hi,
>
> I've installed mod_chroot for Apache (2.0.53-Ubuntu), but have now problems
> with suexec complaining:
>
> [2005-07-20 06:28:13]: uid: (1003/xxxxx) gid: (1003/1003) cmd:
> php4-fcgi-starter
> [2005-07-20 06:28:13]: command not in docroot
> (/fcgi-scripts/web2/php4-fcgi-starter)
>
> php4-fcgi-starter is a script that should start php-fcgi (I'm using
> mod_fastcgi).
>
> My suexec-docroot is "/", because of mod_chroot:
> # /usr/lib/apache2/suexec2 -V
> -D AP_DOC_ROOT="/"
> -D AP_GID_MIN=100
> -D AP_HTTPD_USER="www-data"
> -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
> -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
> -D AP_UID_MIN=100
> -D AP_USERDIR_SUFFIX="public_html"
>
> Therefor I have rebuild the Ubuntu package from source (got the error
> "cannot
> get docroot information (/var/www)" before).
>
> From suexec.c it is this part that throws the error:
> if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
> log_err("command not in docroot (%s/%s)\n", cwd, cmd);
> exit(114);
> }
>
> I'm not sure, what cwd and dwd are set to, but it errors here.. :(
>
> btw: this error message should be changed into something more verbose:
> log_err("command (%s/%s) not in docroot (%s)\n", cwd, cmd, dwd); like some
> of the others, too.
>
> It is really frustrating and would be much easier in my humble opinion, if
> suexec would have a chroot() functianality.
>
> Do you have any suggestions? Is it a bug in suexec?
>
> Thanks for any ideas and suggestions.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info. To
> unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org