On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote:
> Tony Abernethy schrieb:
>
> >The problem with a changed root is that everything you will ever
> >need to access needs to be inside this changed root.
> >All the libriaries, etc etc --- that's right, another copy.
> >
> >One advantage of OpenBSD is that they actually understand security.
> >(Most that tries to pass for security ... isn't (bluntly))
> Tanx,
>
> so if I understand it right, I need to copy /var/www/cgi-bin into
> /var/www/htdocs.
Erm, no.
Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into
the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail
to start, as the perl executable is dynamically linked and thus
dependent on quite a few things.
$ ldd /usr/bin/perl
/usr/bin/perl:
Start End Type Open Ref GrpRef Name
00000000 00000000 exe 1 0 0 /usr/bin/perl
02f9c000 22fbd000 rlib 0 1 0 /usr/lib/libperl.so.10.1
0d2f4000 2d2fb000 rlib 0 1 0 /usr/lib/libm.so.2.2
0acae000 2acb2000 rlib 0 1 0 /usr/lib/libutil.so.11.0
03310000 23341000 rlib 0 1 0 /usr/lib/libc.so.39.0
0e40f000 0e40f000 rtld 0 1 0 /usr/libexec/ld.so
This means I'd need to copy the mentioned libraries into /var/www, i.e.
/var/www/usr/lib/libc.so.39.0 and so on.
Of course, this would run Perl but probably not the script. You most
likely used some modules, and so on. This'd entail copying (parts of)
/usr/libdata/perl5 and/or /usr/local/libdata/perl5 into /var/www.
Joachim
