Girish Venkatachalam wrote:
On 02:01:19 Nov 17, Daniel Ouellet wrote:
This doesn't apply here because the library is pre-loaded before the
httpd is chrooted.
More details:
Pre-loading Shared Libraries
To extend the functionality of the webserver it can dynamically load
shared libraries, e.g. a database access library. Shared libraries for a
binary program are normally loaded by the runtime linker when the
program is invoked (and thus before it can call the chroot system call).
Thus shared libraries like the mod_php PHP4 module, which is linked as a
shared library to the httpd program when it is started, impose no
problem. PHP4 will be available whether your httpd is started chrooted
or not because the shared library is loaded before the chroot() system
call is invoked. PHP4 itself, however, does dynamically load additional
functionality at runtime and as needed. If you try to access a
PostgreSQL function in PHP4 e.g. then it will fail in a chrooted httpd
because only the PHP4 module is dynamically linked to httpd but not the
PostgreSQL client library. The latter is loaded (mapped) to the running
httpd executable by PHP4.
This was for php4 but also apply to php5 as the modules are loaded
before the chrooted take place.
Hope this help this a little and to avoid users to run httpd with -u.
Thanks. ;)
I did not know this.
-Girish
Well,
Glad it helped you and clear this up for many others too. I wish I could
take credit for this explication, but I can't. I knew about it, but
never been really totally clear to me. I guess it's one of these things
you know, witho9ut really knowing it fully, but just know it worked.
The first time it actually was put clear in my mind is from Jason Dixon
article on his changes with PERL modules in httpd.
It's been publish here on undeadly:
http://www.undeadly.org/cgi?action=article&sid=20080805194342
This cleared stuff for me that I knew, but really couldn't explain, so
one would say, in that case, not really knowing it. (;>
You may want to read the article. Not very long, and pretty good and
there is more to it then what hit the eyes there if you sit back and
think about it.
This made me think about it in a different way and actually clear that
totally for me then.
There is a lots of good articles on undeadly time to time that really
are worth more then the time it takes to read them.
You never know when they will apply in the future. (;>
So, the credit really goes to "Jason Dixon" for opening my eyes on the
issue with his article.
Best,
Daniel
