Hi all, I run Apache with ChrootDir option, and would like to use FastCGI instead of mod_php. But FastCGI forks the process before the chroot, so php scripts would run outside the chroot. Despite the note on the documentation about not altering suexec, I've successfully solved my problem with a very small patch. On my system,it works as intended and processes are correctly chrooted (checked with lsof) and run with correct uid. Does it create more security problems than it can solve? Do you suggest to keep it or remove it from my system? Can it become useful for others? I know that's a very "raw" solution.
Massimo Maggi Inline patch: --- suexec-orig/suexec.c 2010-09-09 14:11:44.000000000 +0200 +++ suexec-mod/suexec.c 2010-09-09 14:14:01.000000000 +0200 @@ -465,7 +465,15 @@ log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); exit(108); } +getcwd(cwd, AP_MAXPATH); +if(chroot(DIR_CHROOT)!=0){ + log_err("chroot failed!\n"); + exit(208); +}; +chdir(cwd); /* * Change UID/GID here so that the following tests work over NFS. * diff -ruN suexec-orig/suexec.h suexec-mod/suexec.h --- suexec-orig/suexec.h 2010-09-09 14:11:44.000000000 +0200 +++ suexec-mod/suexec.h 2010-09-09 14:06:25.000000000 +0200 @@ -23,7 +23,7 @@ #ifndef _SUEXEC_H #define _SUEXEC_H - +#define DIR_CHROOT "/chroots/apache/" /* * Include ap_config_layout so we can work out where the default htdocsdir * and logsdir are.