"Fossies" - the Fresh Open Source Software Archive

Member "mod_chroot-0.5/CAVEATS" (12 Jun 2005, 3267 Bytes) of package /linux/www/apache_httpd_modules/old/mod_chroot-0.5.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1                                    mod_chroot
    2 
    3 Restarting Apache
    4 
    5    Once chrooted, Apache cannot access anything located above ChrootDir. For
    6    that reason restarting Apache with 'apachectl reload', 'apachectl
    7    graceful' or 'kill -HUP apache_pid' will not work as expected. Apache will
    8    not be able to read its config file, open logs or load modules (unless you
    9    put them inside the jail, but mod_chroot is all about not doing that!).
   10    Use 'apachectl stop' followed by 'apachectl start' to restart
   11    mod_chroot-enabled Apache.
   12 
   13 DNS lookups
   14 
   15    libresolv uses /etc/resolv.conf to find your DNS server. If this file
   16    doesn't exist, libresolv uses 127.0.0.1:53 as the DNS server. You can run
   17    a small caching server listening on 127.0.0.1 (which may be a good idea
   18    anyway), or use your operating system's firewall to transparently redirect
   19    queries to 127.0.0.1:53 to your real DNS server. Note that this is only
   20    necessary if you do DNS lookups - probably this can be avoided?
   21 
   22    Please also read the libraries section below.
   23 
   24 Databases
   25 
   26    If your mySQL/PostgreSQL accepts connections on a Unix socket which is
   27    outside of your chroot jail, reconfigure it to listen on a loopback
   28    address (127.0.0.1).
   29 
   30 PHP mail() function
   31 
   32    Under Unix, PHP requires a sendmail binary to send mail. Putting this file
   33    inside your jail may not be sufficient: you would probably need to move
   34    your mail queue as well. You have three options here:
   35 
   36      * install a SMTP-only sendmail clone like sSMTP or nbsmtp. You can then
   37        put a single binary inside your jail, and deliver mail via a
   38        smarthost.
   39      * don't use mail(). Use a class/function that knows how to send directly
   40        via SMTP (like Pear's Mail)
   41      * convince PHP developers to make SMTP support a configurable option
   42        under Unix, or write a patch yourself - remember to submit it to
   43        mod_chroot mailing list for others to use.
   44 
   45 Shared libraries
   46 
   47    Shared libraries are libraries which are linked to a program at run-time.
   48    Nowadays, most programs require some shared libraries to run - libc.so is
   49    most common. You can see a list of shared libraries a program requires by
   50    running ldd /path/to/program. Loading of these libraries is done
   51    automagically by ld.so at startup. mod_chroot doesn't interfere with this
   52    mechanism.
   53 
   54    A program may also explicitly load a shared library by calling dlopen()
   55    and dlsym(). This might cause troubles in a chrooted environment - after a
   56    process is chrooted, libraries (usually stored in /lib) might be no longer
   57    accessible. This doesn't happen very often, but if it does - there is a
   58    solution: you can preload these libraries before chrooting. Apache has a
   59    handy directive for that: LoadFile. This is what people reported on the
   60    mailing list:
   61 
   62      * DNS lookups - GNU libc tries to load libnss_dns.so.2 when a first DNS
   63        lookup is done. Solution:
   64 
   65  LoadFile /lib/libnss_dns.so.2
   66 
   67      * Apache 2.0 with mpm_worker on Linux 2.6 - GNU libc tries to load
   68        libgcc_s.so.1 when pthread_cancel is called. Solution:
   69 
   70  LoadFile /lib/libgcc_s.so.1
   71 
   72 Others?
   73 
   74    Did you have other problems with Apache+mod_chroot? Please send your
   75    experiences to the mailing list, I'll publish them here.