HPE Community
Operating System - HP-UX
1835199 Members
3838 Online
110077 Solutions
New Discussion

webserver chroot

 
mobidyc
Trusted Contributor

‎07-22-2007 09:24 PM

‎07-22-2007 09:24 PM

webserver chroot

Hello,

i try to setup apache to use a chroot environment but i've some problems, i've used /opt/hpws/apache/util/chroot_os_cp.sh with no error.

the problem is with the document root.
i've set up the chroot directory to /var/www/chroot.

if DocumentRoot is set with: "/var/www/chroot/webcontent", the webserver starts but can't find any files, the logs shows:
File does not exist: /var

effectively, in the chroot directory there is no 'var' directory.

if DocumentRoot is set with: "/webcontent", i'm unable to start apache with the error:
DocumentRoot must be a directory

maybe i've misunderstanded the chroot concept of webserver?

do i need to set up a complete chrooted environment and launch apache through the chroot command ?

do you have some advices?
thanks for help.

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
0 Kudos
Reply
7 REPLIES 7
Andrew Young_2
Honored Contributor

‎07-22-2007 10:07 PM

‎07-22-2007 10:07 PM

Re: webserver chroot

Hi.

When a program runs as chrooot it can only see things below the the new root directory because it thinks that that is effectively /.

Ideally you should have off your root any lib, bin, var and tmp directories and files neded, over and above your Documentroot. If you are using php or any other libraries those executables will also need to be in that tree.

The document root should also not be directly off the root tree.

Regards

Andrew Y
Si hoc legere scis, nimis eruditionis habes
0 Kudos
Reply
mobidyc
Trusted Contributor

‎07-22-2007 10:50 PM

‎07-22-2007 10:50 PM

Re: webserver chroot

Hello Andrew,

i know what is a chroot and its implications.

the documentation indicates (if i've well understanded) than the webserver can be launched normally with a chroot config option in the httpd.conf, i've followed the documentation here:
http://invent9k.external.hp.com/hp_docs/apache/utilities.user.guide#21009

you normally have the same content in locally.

according to your answer my question is: why does it not work ?

>if DocumentRoot is set with:
>"/var/www/chroot/webcontent",
>the webserver starts but can't
>find any files, the logs shows:
>File does not exist: /var

it's normal because '/var' is outside the chroot defined directory

>if DocumentRoot is set with:
>"/webcontent",
>i'm unable to start apache with the error:
>DocumentRoot must be a directory

it's abnormal because the directory 'webcontent' is inside the chroot defined directory.

another thing, the script /opt/hpws/apache/bin/apachectl contains a line:
CHROOT=`grep "^Chroot " ${APACHE_PREFIX}/conf/httpd.conf | awk '{ print $2 }'`

this variable get the correct chroot directory but is totally unused in apachectl.
httpd does not seems to use this environnement variable anymore.

Thanks for help.

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
0 Kudos
Reply
mobidyc
Trusted Contributor

‎07-23-2007 12:12 AM

‎07-23-2007 12:12 AM

Re: webserver chroot

Hello,

the problem is partially solved.

i've created an empty '/webcontent' directory, which is outside the chrooted webserver environment and now, i can start apache.

if i request a file located in the chrooted environment (under /var/www/chroot/webcontent), it works ;)

seems there is bad configuration/compilation around httpd, this workaround is not the way i want and i think it's not the way it must be.

i've tried to play with the configuration order in httpd.conf (chroot after modules, etc..) and it's worst, really don't know where i can look for a correct start.

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
0 Kudos
Reply
Andrew Young_2
Honored Contributor

‎07-23-2007 12:13 AM

‎07-23-2007 12:13 AM

Re: webserver chroot

Hi Cedrick

I would create a folder called
/var/www/chroot/var/www/webcontent

and then set my DocumentRoot to /var/www/webcontent.

That should work. I've never used apache in a chroot on HP-UX before, but on Linux all the Apache binaries are also moved the chroot tree. This is what that helper script is supposed to do.

The Apache httpd does not like to run webservers where the DocumentRoot is in / , and as far as it was concerned that what it was running hence the error.

As a rule however its usually a good idea to setup the Apache webserver and then when the config is good, uncomment and fix the chroot directive in the httpd.conf file and run the chroot_os_cp.sh helper script.

Apachectl runs outside of the chroot environment and reads the httpd.conf file to determine when to run in an chroot environment. I am not sure if however this is done through that CHROOT environment variable that it may use internally. It may use it when starting up the httpd daemon. When in doubt leave it in rather.

HTH

Andrew Y


Si hoc legere scis, nimis eruditionis habes
0 Kudos
Reply
mobidyc
Trusted Contributor

‎07-23-2007 12:50 AM

‎07-23-2007 12:50 AM

Re: webserver chroot

Hi Andrew,

create a folder in /var/www/chroot/var/www/webcontent does not change the problem.

at startup, apache search the directory for the DocumentRoot outside the chroot environment, unable to start whithout create a false directory at slash.

rappel:
Chroot "/var/www/chroot"
DocumentRoot "/webcontent"

$>ls /webcontent
Empty directory
$>ls /var/www/chroot/webcontent
index.php

$>/opt/hpws/apache/bin/apachectl start
Ok

now, if i go to http://myserver/index.php i can see the good webpages so, the chroot is effective.
and more beautiful, if i exec an 'ls /' command with php, only the chroot environment is listed, it doesn't go outside the chroot, fine ;)

the only problem is the startup for he DocumentRoot directive, i think it's a problem with apache.
it doesn't matter where the documentRoot is located in / in the chroot.

i think i will finally wrap the apachectl script for use a more convenient but i'm interested in experience of other users.

Regards,
Cedrick Gaillard.
Best regards, Cedrick Gaillard
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-23-2007 01:24 AM

‎07-23-2007 01:24 AM

Re: webserver chroot

Shalom,

I've seen bugs like this in the past.

Sometimes you can hack httpd.conf to get apache to start, sometimes you are forced to get a new depot from HP.

swlist -l product | grep -i hpws

Please post.

SEP
EWR, Newark, NJ

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
mobidyc
Trusted Contributor

‎07-23-2007 01:39 AM

‎07-23-2007 01:39 AM

Re: webserver chroot

Hello Steven,

the output you asked for:
#> swlist -l product | grep -i hpuxws
hpuxwsAPACHE B.2.0.54.03 HP-UX Apache-based Web Server
hpuxwsTOMCAT B.5.5.9.03 HP-UX Tomcat-based Servlet Engine
hpuxwsWEBMIN A.1.070.05 HP-UX Webmin-based Admin
hpuxwsXML A.2.00 HP-UX XML Web Server Tools

and maybe you'll find useful:
#> /opt/hpws/apache/bin/httpd -V
Server version: Apache/2.0.54 HP-UX_Apache-based_Web_Server
Server built: Sep 12 2005 15:03:56
Server's Module Magic Number: 20020903:9
Architecture: 32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D APR_PROCESS_LOCK_IS_GLOBAL
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/hpws/apache"
-D DEFAULT_CHROOT_DIR=""
-D SUEXEC_BIN="/opt/hpws/apache/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.