RE: [mod-security-users] SecChrootDir - RH 8.0, Apache 2.0.40, an d PHP 4.2.2
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] SecChrootDir - RH 8.0, Apache 2.0.40, an d PHP 4.2.2
|
From: L. C. L. <CL...@Xy...> - 2004-01-20 00:10:46
|
Done! By using '127.0.0.1' in the Apache PHP scripts instead of 'localhost' and also tweaking the MySQL users database, it appears that my Apache web server has been successfully SecChrootDir'ed. I've still got some testing to do, but all of the main Apache/PHP/MySQL gotcha's were cleaned up by using the loopback adapter's IP address. The one strange thing I noticed was that I needed to maintain an empty /var/www/html directory even though the "real" document root was located in /chroot/var/www/html. If I didn't keep this empty directory around, the httpd daemon complained and wouldn't start because it could not find the directory specified by the DocumentRoot directive in /etc/httpd/conf/httpd.conf. Thank you, Ivan! - Christopher > -----Original Message----- > From: L. Christopher Luther [mailto:CL...@Xy...] > Sent: Monday, January 19, 2004 5:07 PM > To: 'Ivan Ristic' > Cc: mod...@li... > Subject: RE: [mod-security-users] SecChrootDir - RH 8.0, > Apache 2.0.40, > an d PHP 4.2.2 > > > > > -----Original Message----- > > From: Ivan Ristic [mailto:iv...@we...] > > Sent: Monday, January 19, 2004 5:02 PM > > To: L. Christopher Luther > > Cc: mod...@li... > > Subject: Re: [mod-security-users] SecChrootDir - RH 8.0, > > Apache 2.0.40, > > an d PHP 4.2.2 > > > > > > > > >> Yes. You didn't say whether you have anything running out of the > > >> cgi-bin? Whatever is in there (if anything) will probably > > need some > > >> runtime libraries too. > > > > > > No, nothing in cgi-bin, but the MySQL access through PHP > > didn't work. The > > > PHP/MySQL libraries attempted to locate the MySQL socket file in > > > /var/lib/mysql/mysql.sock, which was outside the jail, and > > thus couldn't be > > > seen. I tried a symlink of the MySQL socket file into the jailed > > > /chroot/var/lib/mysql directory, but no joy. > > > > In your PHP program, change the way you reference MySQL from > > 'localhost' to '127.0.0.1'. That will force the client libraries > > not to use the domain socket but use the TCP/IP socket instead. > > Consequently, the chroot will no longer be a problem. > > > > Already had thought of that, and gave it a shot, but a whole > slew of new > errors cropped up. I didn't, however, try '127.0.0.1' -- I > tried the "real" > IP -- and thus my new errors because of MySQL security. > > Still plugging away... :) > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
