"Fossies" - the Fresh Open Source Software Archive
As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard
) with prefixed line numbers.
Alternatively you can here view
the uninterpreted source code file.
3 Restarting Apache
5 Once chrooted, Apache cannot access anything located above ChrootDir. For
6 that reason restarting Apache with 'apachectl reload', 'apachectl
7 graceful' or 'kill -HUP apache_pid' will not work as expected. Apache will
8 not be able to read its config file, open logs or load modules (unless you
9 put them inside the jail, but mod_chroot is all about not doing that!).
10 Use 'apachectl stop' followed by 'apachectl start' to restart
11 mod_chroot-enabled Apache.
13 DNS lookups
15 libresolv uses /etc/resolv.conf to find your DNS server. If this file
16 doesn't exist, libresolv uses 127.0.0.1:53 as the DNS server. You can run
17 a small caching server listening on 127.0.0.1 (which may be a good idea
18 anyway), or use your operating system's firewall to transparently redirect
19 queries to 127.0.0.1:53 to your real DNS server. Note that this is only
20 necessary if you do DNS lookups - probably this can be avoided?
22 Please also read the libraries section below.
26 If your mySQL/PostgreSQL accepts connections on a Unix socket which is
27 outside of your chroot jail, reconfigure it to listen on a loopback
28 address (127.0.0.1).
30 PHP mail() function
32 Under Unix, PHP requires a sendmail binary to send mail. Putting this file
33 inside your jail may not be sufficient: you would probably need to move
34 your mail queue as well. You have three options here:
36 * install a SMTP-only sendmail clone like sSMTP or nbsmtp. You can then
37 put a single binary inside your jail, and deliver mail via a
39 * don't use mail(). Use a class/function that knows how to send directly
40 via SMTP (like Pear's Mail)
41 * convince PHP developers to make SMTP support a configurable option
42 under Unix, or write a patch yourself - remember to submit it to
43 mod_chroot mailing list for others to use.
45 Shared libraries
47 Shared libraries are libraries which are linked to a program at run-time.
48 Nowadays, most programs require some shared libraries to run - libc.so is
49 most common. You can see a list of shared libraries a program requires by
50 running ldd /path/to/program. Loading of these libraries is done
51 automagically by ld.so at startup. mod_chroot doesn't interfere with this
54 A program may also explicitly load a shared library by calling dlopen()
55 and dlsym(). This might cause troubles in a chrooted environment - after a
56 process is chrooted, libraries (usually stored in /lib) might be no longer
57 accessible. This doesn't happen very often, but if it does - there is a
58 solution: you can preload these libraries before chrooting. Apache has a
59 handy directive for that: LoadFile. This is what people reported on the
60 mailing list:
62 * DNS lookups - GNU libc tries to load libnss_dns.so.2 when a first DNS
63 lookup is done. Solution:
65 LoadFile /lib/libnss_dns.so.2
67 * Apache 2.0 with mpm_worker on Linux 2.6 - GNU libc tries to load
68 libgcc_s.so.1 when pthread_cancel is called. Solution:
70 LoadFile /lib/libgcc_s.so.1
74 Did you have other problems with Apache+mod_chroot? Please send your
75 experiences to the mailing list, I'll publish them here.