[cgiwrap-users] Re: CGIwrap - Chrooting

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Yes, chroot in cgiwrap is an extremely ugly, and barely functional hack.
For 99% of the world, chrooting cgi is just plain impossible due to
scripts needing to use perl, etc. The chroot hack was just a bare bones
minimal hack. If you use any 'simple' chroot that chroots to user home
dir/etc. you're going to break most scripts out there. The support that
is in cgiwrap will yield an almost completely functional chroot
environment, provided it's set up properly.

(If you read the chroot documentation, it explains exactly what
environment is needed for the chroot support.)

If you're going to be doing much, please direct these to the cgiwrap
mailing list, as others have similar patches, and would be much more in
tune to the needs. I don't use the chroot functionality, as I think it's
a pain and doesn't really accomplish much.

With regards to your patch below, I would most likely not apply it - as
it completely changes the way chrooting is done, and would not be
functional for MOST of the scripts in existence. If you want to make a
clean patch that implements an additional (in addition to the current
chroot support) chroot mechanism, that I might consider applying. 

(Feel free to send cvs diffs of any of the web pages/etc. - the entire
web site/etc. is in the cgiwrap tarball/cvs.)

-- Nathan

Mr Yowler wrote:
> 
> I can see that I'm about to become a thorn in your ass...  :)
> 
> Chrooting, under CGIwrap, appears to me, to contain a bug or two -
> either that, or the chroot support is horribly underdeveloped, as
> compared to the rest of the code.
> 
> I have been running through your source code, to try to figure out why
> it seems to be impossible to chroot my scripts, and still have CGIwrap
> find them, when I want to run them, and what I have discovered, is
> that you are figuring out the location of my scripts, in my filesystem
> tree, so that you can verify that they exist, before you chroot into
> the filesystem tree from which the script is to be run.  You then use
> the path to the script, as determined *before* the chroot, to attempt
> to chdir() into the scriptPath's directory, now that we are in the
> chrooted filesystem.  Also, the chroot directory seems very rigid - it
> is whatever it was configured to, with --with-chroot=PATH.  It should
> be flexible enough to prefix a users' home directory (or
> --with-rewrite=FILE entry), before the --with-chroot=PATH, so that it
> is possible to chroot ~user scripts, into their respective public_html
> directories, with a single cgiwrap binary.
> 
> I have reworked your cgiwrap.c and util.c code, to accomodate these
> notions, and I am running them on a production webserver.  The code
> that I inserted looks like crap, right now, but it you're interested
> in adding it to the mainstream product, I'll clean up the mess, and
> send you my stuff...  :)
> 
> Just thought I'd add a little harrassment to your day...  :)  Oh - and
> I finally found where your mailing list archives live, on
> sourceforge.  You really ought to add a link to the mailing list
> archives, to your FAQ, on the website...  :)
> 
> 
> 
> ----------------------------------------------------------------------
> Join the world?s largest e-mail service with MSN Hotmail. Click Here

-- 

------------------------------------------------------------
Nathan Neulinger                       EMail:  nn...@um...
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216