On Fri, May 26, 2006 at 11:21:54PM +0200, misiu wrote: > Tony Abernethy schrieb: > > >The problem with a changed root is that everything you will ever > >need to access needs to be inside this changed root. > >All the libriaries, etc etc --- that's right, another copy. > > > >One advantage of OpenBSD is that they actually understand security. > >(Most that tries to pass for security ... isn't (bluntly)) > Tanx, > > so if I understand it right, I need to copy /var/www/cgi-bin into > /var/www/htdocs.
Erm, no. Say I write a Perl CGI script. I'd then need to copy /usr/bin/perl into the chroot (i.e., to /var/www/usr/bin/perl). Of course, perl would fail to start, as the perl executable is dynamically linked and thus dependent on quite a few things. $ ldd /usr/bin/perl /usr/bin/perl: Start End Type Open Ref GrpRef Name 00000000 00000000 exe 1 0 0 /usr/bin/perl 02f9c000 22fbd000 rlib 0 1 0 /usr/lib/libperl.so.10.1 0d2f4000 2d2fb000 rlib 0 1 0 /usr/lib/libm.so.2.2 0acae000 2acb2000 rlib 0 1 0 /usr/lib/libutil.so.11.0 03310000 23341000 rlib 0 1 0 /usr/lib/libc.so.39.0 0e40f000 0e40f000 rtld 0 1 0 /usr/libexec/ld.so This means I'd need to copy the mentioned libraries into /var/www, i.e. /var/www/usr/lib/libc.so.39.0 and so on. Of course, this would run Perl but probably not the script. You most likely used some modules, and so on. This'd entail copying (parts of) /usr/libdata/perl5 and/or /usr/local/libdata/perl5 into /var/www. Joachim