osdir.com
mailing list archive

Subject: Re: mod_chroot and symlinks - msg#00006

List: apache.mod-chroot.general

Date: Prev Index Thread: Prev Index

Hi, I have been playing around with mod_chroot for a few weeks; everything works fine with the exception of symlinks to folders outside the jail. This issues does not seem to be specific to mod_chroot, but with chrooting in general.

[...]

I have a few questions:
1. Does creating a symlink to a folder outside the jail, and have a non-root user access it, defeat the purpose of creating the jail? Why?

Creating a symlink to a folder outside the jail simply doesn't work. Once inside a jail, a process cannot access anything outside the jail - this also applies to symlinks.
You could create a normal (or so-called hard) link, which would work, but it's against the idea of chroot(); we're trying to restrict Apache to a certain directory.

2. Is there a solution/work-around for the above scenario?

If you're on Linux, mount -o bind might do the trick. I think there is a similar thing under FreeBSD.

regards,
--
Marek Gutkowski



Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

mod_chroot and symlinks

Hi, I have been playing around with mod_chroot for a few weeks; everything works fine with the exception of symlinks to folders outside the jail. This issues does not seem to be specific to mod_chroot, but with chrooting in general. Here is my scenario... The environment is running a cluster of apache servers with centrally located config files, web site source code and documents served by the web sites. This content is mounted via NFS on each cluster node on /configDir, /web and /doc respectively. Because of may reasons this content can not be duplicated on each node. I would like to create a chroot jail and have apache look at these shared directories which are ouside the jail for serving content. The only way I thought this would be possible is by creating symlinks however I get the "Symbolic link not allowed: /web" error which makes sense as the www- data user is try to get to a place outside the jail. /etc/apache2/apache2.conf ---staring configuration----> /configDir | | content served from here once apache is running | \ / /chroot | |-- web -> /web |-- doc -> /doc I have a few questions: 1. Does creating a symlink to a folder outside the jail, and have a non-root user access it, defeat the purpose of creating the jail? Why? 2. Is there a solution/work-around for the above scenario? Dede.

Previous Message by Thread: click to view message preview

mod_chroot and symlinks

Hi, I have been playing around with mod_chroot for a few weeks; everything works fine with the exception of symlinks to folders outside the jail. This issues does not seem to be specific to mod_chroot, but with chrooting in general. Here is my scenario... The environment is running a cluster of apache servers with centrally located config files, web site source code and documents served by the web sites. This content is mounted via NFS on each cluster node on /configDir, /web and /doc respectively. Because of may reasons this content can not be duplicated on each node. I would like to create a chroot jail and have apache look at these shared directories which are ouside the jail for serving content. The only way I thought this would be possible is by creating symlinks however I get the "Symbolic link not allowed: /web" error which makes sense as the www- data user is try to get to a place outside the jail. /etc/apache2/apache2.conf ---staring configuration----> /configDir | | content served from here once apache is running | \ / /chroot | |-- web -> /web |-- doc -> /doc I have a few questions: 1. Does creating a symlink to a folder outside the jail, and have a non-root user access it, defeat the purpose of creating the jail? Why? 2. Is there a solution/work-around for the above scenario? Dede.
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by