Re: [users@httpd] Chroot a virtual host
- Original Message - > Hi, > > I have noticed that when running Joomla, or in-fact any browsing > capable PHP code, I am able to navigate above my virtual host > document root and look at other virtual host files. > > How would one stop this ? I have taken a look at mod_chroot but that > does not seem to work as ChrootDir can only be used in the main > configuration and not in the VirtualHost directive. > > For reference I am running Apache 2.2.17. I have tried to create a second instance of HTTP, running on port 8080, using the following conf: LoadModule chroot_module modules/mod_chroot.so LoadModule headers_module modules/mod_headers.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule expires_module modules/mod_expires.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule php5_modulemodules/libphp5.so LoadModule deflate_module modules/mod_deflate.so LoadFile /lib64/libnss_dns.so.2 AddHandler php5-script php Listen 8080 ChrootDir/www/somevhost.co.uk ServerRoot / DocumentRoot /htdocs RequestHeader Set Host www.somevhost.co.uk PidFile /var/run/apache2.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 User somevhost.co.uk Group somevhost.co.uk HostnameLookups Off LogLevel warn ErrorLog /logs/error.log CustomLog /logs/access.log combined DirectoryIndex index.html index.php AccessFileName .htaccess Order allow,deny Deny from all Order deny,allow Allow from all AllowOverride All Though when I run :- /usr/local/apache/bin/httpd -f /www/somevhost.co.uk/conf/apache2.conf -k start it complains that it cannot find the DocumentRoot directory which would suggest that the Chroot is not taking place. If I use absolute paths then HTTPD does indeed start but a phpinfo() returns the path as being /www/somevhost.co.uk/htdocs instead of /htdocs. Any ideas what I could be doing wrong please ? -- Thanks, Phil
Re: [users@httpd] Chroot a virtual host
On April 19, 2011 19:47 , "--[ UxBoD ]--" wrote: I have noticed that when running Joomla, or in-fact any browsing capable PHP code, I am able to navigate above my virtual host document root and look at other virtual host files. How would one stop this ? I have taken a look at mod_chroot but that does not seem to work as ChrootDir can only be used in the main configuration and not in the VirtualHost directive. As an alternative to chroot, you could use privilege separation to achieve what you want, setting up each virtual host to execute PHP code as a different user from all other virtual hosts' users. There are many ways to implement privilege separation, see http://wiki.apache.org/httpd/PrivilegeSeparationMy favorite way is to use FastCGI, although I personally use mod_proxy_fcgi for this rather than mod_fcgid. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
- Original Message - > - Original Message - > > Hi, > > > > I have noticed that when running Joomla, or in-fact any browsing > > capable PHP code, I am able to navigate above my virtual host > > document root and look at other virtual host files. > > > > How would one stop this ? I have taken a look at mod_chroot but > > that > > does not seem to work as ChrootDir can only be used in the main > > configuration and not in the VirtualHost directive. > > > > For reference I am running Apache 2.2.17. > > I have tried to create a second instance of HTTP, running on port > 8080, using the following conf: > > LoadModule chroot_module modules/mod_chroot.so > LoadModule headers_module modules/mod_headers.so > LoadModule rewrite_module modules/mod_rewrite.so > LoadModule expires_module modules/mod_expires.so > LoadModule auth_basic_module modules/mod_auth_basic.so > LoadModule php5_modulemodules/libphp5.so > LoadModule deflate_module modules/mod_deflate.so > > LoadFile /lib64/libnss_dns.so.2 > > AddHandler php5-script php > > Listen 8080 > > ChrootDir/www/somevhost.co.uk > ServerRoot / > DocumentRoot /htdocs > > RequestHeader Set Host www.somevhost.co.uk > PidFile /var/run/apache2.pid > Timeout 300 > KeepAlive On > MaxKeepAliveRequests 100 > KeepAliveTimeout 15 > > User somevhost.co.uk > Group somevhost.co.uk > > HostnameLookups Off > LogLevel warn > > ErrorLog /logs/error.log > CustomLog /logs/access.log combined > > > DirectoryIndex index.html index.php > > > AccessFileName .htaccess > > > Order allow,deny > Deny from all > > > > Order deny,allow > Allow from all > AllowOverride All > > > Though when I run :- > > /usr/local/apache/bin/httpd -f /www/somevhost.co.uk/conf/apache2.conf > -k start > > it complains that it cannot find the DocumentRoot directory which > would suggest that the Chroot is not taking place. If I use > absolute paths then HTTPD does indeed start but a phpinfo() returns > the path as being /www/somevhost.co.uk/htdocs instead of /htdocs. > > Any ideas what I could be doing wrong please ? Finally got this to work as it appears to be a bug in Apache and you have to create a fake root eg. /www/somevhost.co.uk/www. What I am struggling with is that the Joomla site works fine until you come to try and install a component or module. It loads up to 100% and then it just says it cannot install. All the permissions look fine and it was working before switching to a chroot environment. Any thoughts ? -- Thanks, Phil
Re: [users@httpd] Chroot a virtual host
Hello, On 20.04.11 00:47, --[ UxBoD ]-- wrote: > I have noticed that when running Joomla, or in-fact any browsing capable > PHP code, I am able to navigate above my virtual host document root and > look at other virtual host files. > > How would one stop this ? I have taken a look at mod_chroot but that does > not seem to work as ChrootDir can only be used in the main configuration > and not in the VirtualHost directive. just a 1.5 months ago this question was asked and (imho) answered. Usually the PHP scripts are run under the same user apache runs as, so they have the same permissions. You can limit files which can a PHP script access by using PHP directives open_basedir and doc_root. You can run peruses MPM wich apathe 2.2. You can also run PHP as CGI using suexec, but that's a bit ineffective. I don't know how does FastCGI work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
- Original Message - > Hello, > > On 20.04.11 00:47, --[ UxBoD ]-- wrote: > > I have noticed that when running Joomla, or in-fact any browsing > > capable > > PHP code, I am able to navigate above my virtual host document root > > and > > look at other virtual host files. > > > > How would one stop this ? I have taken a look at mod_chroot but > > that does > > not seem to work as ChrootDir can only be used in the main > > configuration > > and not in the VirtualHost directive. > > just a 1.5 months ago this question was asked and (imho) answered. > Usually the PHP scripts are run under the same user apache runs as, > so they > have the same permissions. > > You can limit files which can a PHP script access by using PHP > directives > open_basedir and doc_root. > > You can run peruses MPM wich apathe 2.2. > > You can also run PHP as CGI using suexec, but that's a bit > ineffective. > I don't know how does FastCGI work. > I managed to get Joomla working, kind of, in an Apache 2.2 chroot but then I hit a problem with JDate not working so I raised http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25870 I have now switched to trying to get SuExec and FCGI working but hitting an issue with: [Fri May 13 08:29:29 2011] [warn] [client ] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server [Fri May 13 08:29:29 2011] [error] [client XXX] Premature end of script headers: test.php Though will post this as a separate thread. -- Thanks, Phil - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
Hi, Some times ago I played with exaclty your configuration. If you strace the httpd process you can see that it's searching some files under /usr/share related to date and time. Here an extract of my chroot with files Icopied under my chroot /chroot/usr/share/zoneinfo/Europe/Rome /chroot/usr/share/zoneinfo/zone.tab Hope this helps. Marco On Fri, May 13, 2011 at 9:35 AM, --[ UxBoD ]-- wrote: > - Original Message - >> Hello, >> >> On 20.04.11 00:47, --[ UxBoD ]-- wrote: >> > I have noticed that when running Joomla, or in-fact any browsing >> > capable >> > PHP code, I am able to navigate above my virtual host document root >> > and >> > look at other virtual host files. >> > >> > How would one stop this ? I have taken a look at mod_chroot but >> > that does >> > not seem to work as ChrootDir can only be used in the main >> > configuration >> > and not in the VirtualHost directive. >> >> just a 1.5 months ago this question was asked and (imho) answered. >> Usually the PHP scripts are run under the same user apache runs as, >> so they >> have the same permissions. >> >> You can limit files which can a PHP script access by using PHP >> directives >> open_basedir and doc_root. >> >> You can run peruses MPM wich apathe 2.2. >> >> You can also run PHP as CGI using suexec, but that's a bit >> ineffective. >> I don't know how does FastCGI work. >> > > I managed to get Joomla working, kind of, in an Apache 2.2 chroot but then I > hit a problem with JDate not working so I raised > http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25870 > > I have now switched to trying to get SuExec and FCGI working but hitting an > issue with: > > [Fri May 13 08:29:29 2011] [warn] [client ] (104)Connection reset > by peer: mod_fcgid: error reading data from FastCGI server > [Fri May 13 08:29:29 2011] [error] [client XXX] Premature end of > script headers: test.php > > Though will post this as a separate thread. > -- > Thanks, Phil > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- _ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Chroot a virtual host
- Original Message - > Hi, > Some times ago I played with exaclty your configuration. > > If you strace the httpd process you can see that it's searching some > files under /usr/share related to date and time. > Here an extract of my chroot with files Icopied under my chroot > > /chroot/usr/share/zoneinfo/Europe/Rome > /chroot/usr/share/zoneinfo/zone.tab > > Hope this helps. > Marco > > On Fri, May 13, 2011 at 9:35 AM, --[ UxBoD ]-- > wrote: > > - Original Message - > >> Hello, > >> > >> On 20.04.11 00:47, --[ UxBoD ]-- wrote: > >> > I have noticed that when running Joomla, or in-fact any browsing > >> > capable > >> > PHP code, I am able to navigate above my virtual host document > >> > root > >> > and > >> > look at other virtual host files. > >> > > >> > How would one stop this ? I have taken a look at mod_chroot but > >> > that does > >> > not seem to work as ChrootDir can only be used in the main > >> > configuration > >> > and not in the VirtualHost directive. > >> > >> just a 1.5 months ago this question was asked and (imho) answered. > >> Usually the PHP scripts are run under the same user apache runs > >> as, > >> so they > >> have the same permissions. > >> > >> You can limit files which can a PHP script access by using PHP > >> directives > >> open_basedir and doc_root. > >> > >> You can run peruses MPM wich apathe 2.2. > >> > >> You can also run PHP as CGI using suexec, but that's a bit > >> ineffective. > >> I don't know how does FastCGI work. > >> > > > > I managed to get Joomla working, kind of, in an Apache 2.2 chroot > > but then I hit a problem with JDate not working so I raised > > http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=25870 > > > > I have now switched to trying to get SuExec and FCGI working but > > hitting an issue with: > > > > [Fri May 13 08:29:29 2011] [warn] [client ] > > (104)Connection reset by peer: mod_fcgid: error reading data from > > FastCGI server > > [Fri May 13 08:29:29 2011] [error] [client XXX] Premature > > end of script headers: test.php > > > > Though will post this as a separate thread. Hi Marco, I shall certainly give that a try :) I am debating which is going to be the easier to support long term; chroot or SuExec&FCGI and which will offer the greater degree of security. -- Thanks, Phil - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org