chroot of apache"s cgi execution

Hello all,

can anybody give me some hint about chrooting execution of cgi script invoked
through apache?
I would like to achieve this on per-virtual-host basis so every virtual host
would have different root dir to which it would chroot execution of it's cgi
scripts. If the price is perl installation in every chroot jail so be it.

Best regards,

Bostjan Skufca

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

Only root is able to chroot. You would need to run apache as root or find
a safe way to get root privileges for the chroot.

On Sat, 17 Jan 2004, Bostjan Skufca (at) domenca.com wrote:

> Hello all,
>
> can anybody give me some hint about chrooting execution of cgi script invoked
> through apache?
> I would like to achieve this on per-virtual-host basis so every virtual host
> would have different root dir to which it would chroot execution of it's cgi
> scripts. If the price is perl installation in every chroot jail so be it.
>
> Best regards,
>
> Bostjan Skufca
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

Maybe this can help you ?

http://www.devet.org/apache/chroot/

Kind regards,

Joao Schim

On Sat, 17 Jan 2004 04:45:24 +0100
"Bostjan Skufca (at) domenca.com" wrote:

> Hello all,
>
> can anybody give me some hint about chrooting execution of cgi script invoked
> through apache?
> I would like to achieve this on per-virtual-host basis so every virtual host
> would have different root dir to which it would chroot execution of it's cgi
> scripts. If the price is perl installation in every chroot jail so be it.
>
> Best regards,
>
> Bostjan Skufca
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>


--
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

it doesn't fit per-vhost requirement

On Saturday 17 of January 2004 13:33, Joao Schim wrote:
> Maybe this can help you ?
>
> http://www.devet.org/apache/chroot/
>
> Kind regards,
>
> Joao Schim
>
> On Sat, 17 Jan 2004 04:45:24 +0100
>
> "Bostjan Skufca (at) domenca.com" wrote:
> > Hello all,
> >
> > can anybody give me some hint about chrooting execution of cgi script
> > invoked through apache?
> > I would like to achieve this on per-virtual-host basis so every virtual
> > host would have different root dir to which it would chroot execution of
> > it's cgi scripts. If the price is perl installation in every chroot jail
> > so be it.
> >
> > Best regards,
> >
> > Bostjan Skufca
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html

--
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o.
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

could it be possible to redirect invocation of cgi scripts through some
"gateway" program which would setup chroot and execute perl and script
within?

On Saturday 17 of January 2004 05:27, asterr wrote:
> Only root is able to chroot. You would need to run apache as root or find
> a safe way to get root privileges for the chroot.
>
> On Sat, 17 Jan 2004, Bostjan Skufca (at) domenca.com wrote:
> > Hello all,
> >
> > can anybody give me some hint about chrooting execution of cgi script
> > invoked through apache?
> > I would like to achieve this on per-virtual-host basis so every virtual
> > host would have different root dir to which it would chroot execution of
> > it's cgi scripts. If the price is perl installation in every chroot jail
> > so be it.
> >
> > Best regards,
> >
> > Bostjan Skufca
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html

--
Best regards,

Bostjan Skufca
system administrator

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

No, of course it doesn't,

We don't want to run all httpd children as root do we ?
Then the safety level gained with chroot() is lost by the
fact you run as root. chroot() is easily broken by root
anyway, so you end up with a really false sense of security.

Regards,

Joao

On Mon, 19 Jan 2004 03:09:33 +0100
"Bostjan Skufca (at) domenca.com" wrote:

> it doesn't fit per-vhost requirement
>
> On Saturday 17 of January 2004 13:33, Joao Schim wrote:
> > Maybe this can help you ?
> >
> > http://www.devet.org/apache/chroot/
> >
> > Kind regards,
> >
> > Joao Schim
> >
> > On Sat, 17 Jan 2004 04:45:24 +0100
> >
> > "Bostjan Skufca (at) domenca.com" wrote:
> > > Hello all,
> > >
> > > can anybody give me some hint about chrooting execution of cgi script
> > > invoked through apache?
> > > I would like to achieve this on per-virtual-host basis so every
> > > virtual host would have different root dir to which it would chroot
> > > execution of it's cgi scripts. If the price is perl installation in
> > > every chroot jail so be it.
> > >
> > > Best regards,
> > >
> > > Bostjan Skufca
> > >
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe
> > > linux-admin" in the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> Best regards,
>
> Bostjan Skufca
> system administrator
>
> Domenca d.o.o.
> Phone: +386 4 5835444
> Fax: +386 4 5831999
> http://www.domenca.com
>
>


--
Slurm, n.: The slime that accumulates on the underside of a soap bar when
it sits in the dish too long. -- Rich Hall, "Sniglets"

============================================================ ===============
Joao Schim telefoon:(+31)40-2649860
fax:(+31)40-2649861
http://www.bowtie.nl
BowTie Technology BV Raiffeisenstraat 7 - 5611 CH Eindhoven
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

To clarify what i would like to achieve i paste post i sent to modperl mlist:

------------------------------------------------------------ --------
Hello all,

is there a way to chroot execution of perl script within apache?

Basically what I would like to achieve is like this:
There are users on the system and these users have their homedirs - as usual.
Within these homedirs they have domain directories which hold files for
assigned domains and every domain dir has it's own cgi-bin directory, eg:

/home
/home/user01
/home/user01/domain01.com
/home/user01/domain01.com/cgi-bin
/home/user01/domain02.com
/home/user01/domain02.com/cgi-bin
/home/user01/domain03.com
/home/user01/domain03.com/cgi-bin
/home/user02
/home/user02/domain04.com
/home/user02/domain04.com/cgi-bin
/home/user02/domain05.com
/home/user02/domain05.com/cgi-bin
/home/user02/domain06.com
/home/user02/domain06.com/cgi-bin
/home/user02/domain07.com
/home/user02/domain07.com/cgi-bin
etc.

Now i would like to chroot execution of cgi's for domain01, domain02 and
domain03 to /home/user01 and likewise for domain04, domain05, domain06 and
domain07 to /home/user02.

Therefore apache's srm.conf entries should look somewhat like this (note the
CGIChroot directive):


CGIChroot /home/user01
DocumentRoot /home/user01/domain01.com
ServerName domain01.com
CustomLog logs/domain01.com.access.log combined



CGIChroot /home/user02
DocumentRoot /home/user02/domain04.com
ServerName domain04.com
CustomLog logs/domain04.com.access.log combined


Now my question: is this by any means possible to achieve? Could invocation of
perl be done through some setuid root program which would chroot to given
directory first (assuming perl and neccesary libraries are installed in every
user's homedir), drop privileges back to apache-default or whatever specified
and execute the cgi script?
------------------------------------------------------------ --------



On Monday 19 of January 2004 10:45, Joao Schim wrote:
> No, of course it doesn't,
>
> We don't want to run all httpd children as root do we ?
> Then the safety level gained with chroot() is lost by the
> fact you run as root. chroot() is easily broken by root
> anyway, so you end up with a really false sense of security.
>
> Regards,
>
> Joao
>
> On Mon, 19 Jan 2004 03:09:33 +0100
>
> "Bostjan Skufca (at) domenca.com" wrote:
> > it doesn't fit per-vhost requirement
> >
> > On Saturday 17 of January 2004 13:33, Joao Schim wrote:
> > > Maybe this can help you ?
> > >
> > > http://www.devet.org/apache/chroot/
> > >
> > > Kind regards,
> > >
> > > Joao Schim
> > >
> > > On Sat, 17 Jan 2004 04:45:24 +0100
> > >
> > > "Bostjan Skufca (at) domenca.com" wrote:
> > > > Hello all,
> > > >
> > > > can anybody give me some hint about chrooting execution of cgi script
> > > > invoked through apache?
> > > > I would like to achieve this on per-virtual-host basis so every
> > > > virtual host would have different root dir to which it would chroot
> > > > execution of it's cgi scripts. If the price is perl installation in
> > > > every chroot jail so be it.
> > > >
> > > > Best regards,
> > > >
> > > > Bostjan Skufca
> > > >
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe
> > > > linux-admin" in the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
> > --
> > Best regards,
> >
> > Bostjan Skufca
> > system administrator
> >
> > Domenca d.o.o.
> > Phone: +386 4 5835444
> > Fax: +386 4 5831999
> > http://www.domenca.com

--
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o.
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: chroot of apache"s cgi execution

Bostjan Skufca (at) domenca.com wrote:

> is there a way to chroot execution of perl script within apache?
>
> Basically what I would like to achieve is like this:
> There are users on the system and these users have their homedirs - as usual.
> Within these homedirs they have domain directories which hold files for
> assigned domains and every domain dir has it's own cgi-bin directory, eg:
>
> /home
> /home/user01
> /home/user01/domain01.com
> /home/user01/domain01.com/cgi-bin
> /home/user01/domain02.com
> /home/user01/domain02.com/cgi-bin
> /home/user01/domain03.com
> /home/user01/domain03.com/cgi-bin
> /home/user02
> /home/user02/domain04.com
> /home/user02/domain04.com/cgi-bin
> /home/user02/domain05.com
> /home/user02/domain05.com/cgi-bin
> /home/user02/domain06.com
> /home/user02/domain06.com/cgi-bin
> /home/user02/domain07.com
> /home/user02/domain07.com/cgi-bin
> etc.
>
> Now i would like to chroot execution of cgi's for domain01, domain02 and
> domain03 to /home/user01 and likewise for domain04, domain05, domain06 and
> domain07 to /home/user02.
>
> Therefore apache's srm.conf entries should look somewhat like this (note the
> CGIChroot directive):
>
>
> CGIChroot /home/user01
> DocumentRoot /home/user01/domain01.com
> ServerName domain01.com
> CustomLog logs/domain01.com.access.log combined
>
>
>
> CGIChroot /home/user02
> DocumentRoot /home/user02/domain04.com
> ServerName domain04.com
> CustomLog logs/domain04.com.access.log combined
>
>
> Now my question: is this by any means possible to achieve? Could
> invocation of perl be done through some setuid root program which
> would chroot to given directory first (assuming perl and neccesary
> libraries are installed in every user's homedir), drop privileges
> back to apache-default or whatever specified and execute the cgi
> script?

It's certainly possible, however:

1. I have no idea whether such a program currently exists. If not, the
obvious starting point would be the suExec program, as that has
similar security requirements.

2. Given the complexity involved, it would be quite easy to get it
wrong, in the sense of decreasing security rather than increasing it
(there are reasons why the chroot() system call requires root
privilege).

3. Chroot restricts filesystem access; it doesn't restrict access to
other system resources (e.g. network sockets, SysV IPC entities).

4. Setting up a chroot filesystem is far from trivial. Apart from the
perl binary and its libraries, you may also need various bits of /etc,
/lib and /dev. Running "strings /usr/bin/perl | fgrep /" suggests that
it may need /dev/null, /dev/urandom and /dev/fd/*; the latter is
usually a symlink to /proc/self/fd, which would require /proc. Doing
likewise for libc shows quite a few filenames; good luck on figuring
out which ones you need to run perl.

5. What benefit do you expect chroot to provide which can't be
obtained far more simply with appropriate filesystem permissions?

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html