"Fossies" - the Fresh Open Source Software Archive

Member "mod_chroot-0.5/CAVEATS" (12 Jun 2005, 3267 Bytes) of package /linux/www/apache_httpd_modules/old/mod_chroot-0.5.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1                                    mod_chroot
    3 Restarting Apache
    5    Once chrooted, Apache cannot access anything located above ChrootDir. For
    6    that reason restarting Apache with 'apachectl reload', 'apachectl
    7    graceful' or 'kill -HUP apache_pid' will not work as expected. Apache will
    8    not be able to read its config file, open logs or load modules (unless you
    9    put them inside the jail, but mod_chroot is all about not doing that!).
   10    Use 'apachectl stop' followed by 'apachectl start' to restart
   11    mod_chroot-enabled Apache.
   13 DNS lookups
   15    libresolv uses /etc/resolv.conf to find your DNS server. If this file
   16    doesn't exist, libresolv uses as the DNS server. You can run
   17    a small caching server listening on (which may be a good idea
   18    anyway), or use your operating system's firewall to transparently redirect
   19    queries to to your real DNS server. Note that this is only
   20    necessary if you do DNS lookups - probably this can be avoided?
   22    Please also read the libraries section below.
   24 Databases
   26    If your mySQL/PostgreSQL accepts connections on a Unix socket which is
   27    outside of your chroot jail, reconfigure it to listen on a loopback
   28    address (
   30 PHP mail() function
   32    Under Unix, PHP requires a sendmail binary to send mail. Putting this file
   33    inside your jail may not be sufficient: you would probably need to move
   34    your mail queue as well. You have three options here:
   36      * install a SMTP-only sendmail clone like sSMTP or nbsmtp. You can then
   37        put a single binary inside your jail, and deliver mail via a
   38        smarthost.
   39      * don't use mail(). Use a class/function that knows how to send directly
   40        via SMTP (like Pear's Mail)
   41      * convince PHP developers to make SMTP support a configurable option
   42        under Unix, or write a patch yourself - remember to submit it to
   43        mod_chroot mailing list for others to use.
   45 Shared libraries
   47    Shared libraries are libraries which are linked to a program at run-time.
   48    Nowadays, most programs require some shared libraries to run - libc.so is
   49    most common. You can see a list of shared libraries a program requires by
   50    running ldd /path/to/program. Loading of these libraries is done
   51    automagically by ld.so at startup. mod_chroot doesn't interfere with this
   52    mechanism.
   54    A program may also explicitly load a shared library by calling dlopen()
   55    and dlsym(). This might cause troubles in a chrooted environment - after a
   56    process is chrooted, libraries (usually stored in /lib) might be no longer
   57    accessible. This doesn't happen very often, but if it does - there is a
   58    solution: you can preload these libraries before chrooting. Apache has a
   59    handy directive for that: LoadFile. This is what people reported on the
   60    mailing list:
   62      * DNS lookups - GNU libc tries to load libnss_dns.so.2 when a first DNS
   63        lookup is done. Solution:
   65  LoadFile /lib/libnss_dns.so.2
   67      * Apache 2.0 with mpm_worker on Linux 2.6 - GNU libc tries to load
   68        libgcc_s.so.1 when pthread_cancel is called. Solution:
   70  LoadFile /lib/libgcc_s.so.1
   72 Others?
   74    Did you have other problems with Apache+mod_chroot? Please send your
   75    experiences to the mailing list, I'll publish them here.