Apache mod chroot: erinevus redaktsioonide vahel
| 10. rida: | 10. rida: | ||
===Install=== | ===Install=== | ||
Gentoos viimases oli mod_chroot masked by keywords ning tuli umaskida enne | |||
käsku emerge mod_chroot | |||
FreeBSD omab nii mod_chroot kui ka mod_jail porti | |||
viimane kasutab FreeBSD jail süsteemi käske apache eraldamiseks. | |||
Kaust kus hakkab elutsema chrooditud apache on edaspidi '''/home/chroot''' | |||
mkdir /home/chroot/ | mkdir /home/chroot/ | ||
| 20. rida: | 24. rida: | ||
mkdir -p /home/chroot/var/www/html | mkdir -p /home/chroot/var/www/html | ||
ChrootDir /home/chroot/ | Apachel tuleb laadida moodul ja lisada httpd.conf'i read | ||
ChrootDir '''/home/chroot/''' | |||
DocumentRoot /var/www/html | DocumentRoot /var/www/html | ||
PidFile /var/run/apache2.pid | PidFile /var/run/apache2.pid | ||
| 28. rida: | 33. rida: | ||
Pid tekib tegelikult siis kausta /home/chroot/var/run/ | Pid tekib tegelikult siis kausta /home/chroot/var/run/ | ||
Ning süsteemipoolt documentroot täisrada on /home/chroot/var/www/ | Ning süsteemipoolt documentroot täisrada on /home/chroot/var/www/ | ||
===Testimine=== | ===Testimine=== | ||
Redaktsioon: 25. oktoober 2007, kell 09:35
Sissejuhatus
chroot(2) changes the root directory of a process to a directory other than "/". It means the process is locked inside a virtual filesystem root. If you configure your chroot jail properly, Apache and its child processes (think CGI scripts) won't be able to access anything except the jail.
There are many documents about running programs inside a chroot jail. Some daemons (tinydns, dnscache, vsftpd) support it out of the box. For others (like Apache) you need to carefully build a "virtual root", containing every file the program may need. Creating this structure is great fun. Run the program, read the error message, copy the missing file, start over. Now think about upgrading - you have to keep your "virtual root" current - if there is a bug in libssl, you need to put a new version in two places. Scared enough? Read on.
mod_chroot allows you to run Apache in a chroot jail with no additional files. The chroot() system call is performed at the end of startup procedure - when all libraries are loaded and log files open.
Install
Gentoos viimases oli mod_chroot masked by keywords ning tuli umaskida enne käsku emerge mod_chroot
FreeBSD omab nii mod_chroot kui ka mod_jail porti viimane kasutab FreeBSD jail süsteemi käske apache eraldamiseks.
Kaust kus hakkab elutsema chrooditud apache on edaspidi /home/chroot
mkdir /home/chroot/ mkdir -p /home/chroot/var/www mkdir -p /home/chroot/var/run mkdir -p /home/chroot/var/www/html
Apachel tuleb laadida moodul ja lisada httpd.conf'i read
ChrootDir /home/chroot/ DocumentRoot /var/www/html PidFile /var/run/apache2.pid
Pid tekib tegelikult siis kausta /home/chroot/var/run/ Ning süsteemipoolt documentroot täisrada on /home/chroot/var/www/
Testimine
Virtualhostis on määratud kodukataloogiks
/var/www/html
Tekitame test php faili kausta /home/chroot/var/www/html
Loome selleks test.php mille sisuks näiteks järgnev php kood mis avab $path muutujas antud kausta ja näitab selle sisu.
$path = "/var/";
$dir_handle = @opendir($path) or die("Unable to open $path");
while ($file = readdir($dir_handle)) {
if($file == "." || $file == ".." || $file == "index.php" )
continue;
echo "$file\">$file";
echo "< br >";
}
closedir($dir_handle);
tulemus seda brauseris käivitades oleks
www run
muutes $path = "/etc/";
Vastuseks
Unable to open /etc/
