Erinevus lehekülje "Apache mod chroot" redaktsioonide vahel
| 4. rida: | 4. rida: | ||
There are many documents about running programs inside a chroot jail. Some daemons (tinydns, dnscache, vsftpd) support it out of the box. For others (like Apache) you need to carefully build a "virtual root", containing every file the program may need. | There are many documents about running programs inside a chroot jail. Some daemons (tinydns, dnscache, vsftpd) support it out of the box. For others (like Apache) you need to carefully build a "virtual root", containing every file the program may need. | ||
| + | |||
| + | |||
Creating this structure is great fun. Run the program, read the error message, copy the missing file, start over. Now think about upgrading - you have to keep your "virtual root" current - if there is a bug in libssl, you need to put a new version in two places. Scared enough? Read on. | Creating this structure is great fun. Run the program, read the error message, copy the missing file, start over. Now think about upgrading - you have to keep your "virtual root" current - if there is a bug in libssl, you need to put a new version in two places. Scared enough? Read on. | ||
| − | Lähemalt sellest tehnikast | + | Lähemalt sellest apache chroot buildimise tehnikast |
http://www.faqs.org/docs/securing/chap29sec254.html | http://www.faqs.org/docs/securing/chap29sec254.html | ||
Redaktsioon: 25. oktoober 2007, kell 12:49
Sisukord
Sissejuhatus
chroot(2) changes the root directory of a process to a directory other than "/". It means the process is locked inside a virtual filesystem root. If you configure your chroot jail properly, Apache and its child processes (think CGI scripts) won't be able to access anything except the jail.
There are many documents about running programs inside a chroot jail. Some daemons (tinydns, dnscache, vsftpd) support it out of the box. For others (like Apache) you need to carefully build a "virtual root", containing every file the program may need.
Creating this structure is great fun. Run the program, read the error message, copy the missing file, start over. Now think about upgrading - you have to keep your "virtual root" current - if there is a bug in libssl, you need to put a new version in two places. Scared enough? Read on.
Lähemalt sellest apache chroot buildimise tehnikast
http://www.faqs.org/docs/securing/chap29sec254.html
mod_chroot allows you to run Apache in a chroot jail with no additional files. The chroot() system call is performed at the end of startup procedure - when all libraries are loaded and log files open.
Install
Gentoos hetkel portages (Thu Oct 25 12:36:38 EEST 2007) oli mod_chroot masked by keywords ning tuli umaskida enne käsku emerge mod_chroot
FreeBSD omab nii mod_chroot kui ka mod_jail porti viimane kasutab FreeBSD jail süsteemi käske apache eraldamiseks.
Loome vajalikud kaustad. Kaust kus hakkab elutsema chrooditud apache on edaspidi /home/chroot
mkdir /home/chroot/ mkdir -p /home/chroot/var/www mkdir -p /home/chroot/var/run
Seejärel tuleb laadida mod_chroot moodul ja lisada httpd.conf'i read
ChrootDir /home/chroot/ DocumentRoot /var/www/html PidFile /var/run/apache2.pid
Pid tekib ka chroot sisse seega kui apache näeb seda kui kausta /var/run/ Siis reaalselt süsteemipoolt on selleks /home/chroot/var/run
Ning süsteemipoolt documentroot täisrada on /home/chroot/var/www/
Testimine
Tekitame kausta /home/chroot/var/www/html
mkdir -p /home/chroot/var/www/html
Virtualhosti kirjutame kataloogiks
/var/www/html
Tekitame test php faili kausta /home/chroot/var/www/html Sisuks järgnev php kood mis avab $path muutujas antud kausta /var/ ja näitab selle sisu.
$path = "/var/";
$dir_handle = @opendir($path) or die("Unable to open $path");
while ($file = readdir($dir_handle)) {
echo "$file";
echo "< br >";
}
closedir($dir_handle);
tulemus seda brauseris käivitades oleks
www run
muutes $path = "/etc/";
Vastuseks
Unable to open /etc/
