|
osdir.com mailing list archive |
|
Subject: Re: mod_chroot and symlinks - msg#00006List: apache.mod-chroot.generalHi, I have been playing around with mod_chroot for a few weeks; everything works fine with the exception of symlinks to folders outside the jail. This issues does not seem to be specific to mod_chroot, but with chrooting in general. [...] I have a few questions: 1. Does creating a symlink to a folder outside the jail, and have a non-root user access it, defeat the purpose of creating the jail? Why? Creating a symlink to a folder outside the jail simply doesn't work. Once inside a jail, a process cannot access anything outside the jail - this also applies to symlinks. You could create a normal (or so-called hard) link, which would work, but it's against the idea of chroot(); we're trying to restrict Apache to a certain directory. 2. Is there a solution/work-around for the above scenario? If you're on Linux, mount -o bind might do the trick. I think there is a similar thing under FreeBSD. regards, -- Marek Gutkowski Thread at a glance:
Previous Message by Date: click to view message previewmod_chroot and symlinksHi, I have been playing around with mod_chroot for a few weeks; everything works fine with the exception of symlinks to folders outside the jail. This issues does not seem to be specific to mod_chroot, but with chrooting in general. Here is my scenario... The environment is running a cluster of apache servers with centrally located config files, web site source code and documents served by the web sites. This content is mounted via NFS on each cluster node on /configDir, /web and /doc respectively. Because of may reasons this content can not be duplicated on each node. I would like to create a chroot jail and have apache look at these shared directories which are ouside the jail for serving content. The only way I thought this would be possible is by creating symlinks however I get the "Symbolic link not allowed: /web" error which makes sense as the www- data user is try to get to a place outside the jail. /etc/apache2/apache2.conf ---staring configuration----> /configDir | | content served from here once apache is running | \ / /chroot | |-- web -> /web |-- doc -> /doc I have a few questions: 1. Does creating a symlink to a folder outside the jail, and have a non-root user access it, defeat the purpose of creating the jail? Why? 2. Is there a solution/work-around for the above scenario? Dede. Previous Message by Thread: click to view message previewmod_chroot and symlinksHi, I have been playing around with mod_chroot for a few weeks; everything works fine with the exception of symlinks to folders outside the jail. This issues does not seem to be specific to mod_chroot, but with chrooting in general. Here is my scenario... The environment is running a cluster of apache servers with centrally located config files, web site source code and documents served by the web sites. This content is mounted via NFS on each cluster node on /configDir, /web and /doc respectively. Because of may reasons this content can not be duplicated on each node. I would like to create a chroot jail and have apache look at these shared directories which are ouside the jail for serving content. The only way I thought this would be possible is by creating symlinks however I get the "Symbolic link not allowed: /web" error which makes sense as the www- data user is try to get to a place outside the jail. /etc/apache2/apache2.conf ---staring configuration----> /configDir | | content served from here once apache is running | \ / /chroot | |-- web -> /web |-- doc -> /doc I have a few questions: 1. Does creating a symlink to a folder outside the jail, and have a non-root user access it, defeat the purpose of creating the jail? Why? 2. Is there a solution/work-around for the above scenario? Dede. Loading Comments...
|
|
