[mod-security-users] Chroot and pid file

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I'm using mod_security-1.8dev2 and the chroot function. As stated in the
manual, it is difficult to stop Apache when chrooted because it cannot
find its PID file. I attach a start/stop script below that overcomes this
problem. I hope it will be useful.

Your httpd.conf file should contain the PidFile configuration option as
normal, ignoring any chroot. The 'stop' section of the script below makes
use of the -c option to httpd, allowing a new value of PidFile to be used,
which overrides the one in httpd.conf.

David.

-- 
-------------------------------------------------
Email: David at megapico dot co dot uk
-------------------------------------------------

#!/bin/sh

ARGV="$@"
#
# |||||||||||||||||||| START CONFIGURATION SECTION  ||||||||||||||||||||
# --------------------                              --------------------
# 
# the path to your PID file, ignoring chroot set-up, if any
PIDFILE='/usr/local/apache/logs/httpd.pid'
# the path to your httpd binary, including options if necessary
HTTPD='/usr/local/apache/bin/httpd'
# the path to the chroot created by mod_security, otherwise leave empty
CHROOT='/chroot/apache'
#
# pick up any necessary environment variables
if test -f /usr/local/apache/bin/envvars; then
  . /usr/local/apache/bin/envvars
fi
#
# a command that outputs a formatted text version of the HTML at the
# url given on the command line.  Designed for lynx, however other
# programs may work.  
LYNX="lynx -dump"
#
# the URL to your server's mod_status status page.  If you do not
# have one, then status and fullstatus will not work.
STATUSURL="http://localhost:80/server-status"
#
# Set this variable to a command that increases the maximum
# number of file descriptors allowed per child process. This is
# critical for configurations that use many file descriptors,
# such as mass vhosting, or a multithreaded server.
ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`"
# --------------------                              --------------------
# ||||||||||||||||||||   END CONFIGURATION SECTION  ||||||||||||||||||||

# Set the maximum number of file descriptors allowed per child process.
if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then
    $ULIMIT_MAX_FILES
fi

ERROR=0
if [ "x$ARGV" = "x" ] ; then 
    ARGV="-h"
fi

#If a PID file exists, check it points to a running httpd
#Deals with PID left after power-cut or crash.
if [ -f $CHROOT$PIDFILE ] ; then
    PID=`cat $CHROOT$PIDFILE`
    PIDPROC=`ps -p $PID -o comm --no-headers 2>/dev/null`
    if [ "x$PID" != "x" ] && [ "x$PIDPROC" != "xhttpd" ] ; then
        #pid points to a valid process, but it is not httpd
        rm $CHROOT$PIDFILE 2>/dev/null
    fi
fi

case $ARGV in
start|restart|graceful)
    $HTTPD -k $ARGV
    ERROR=$?
    ;;
stop)
    $HTTPD -k $ARGV -c "PidFile $CHROOT$PIDFILE"
    ERROR=$?
    ;;
startssl|sslstart|start-SSL)
    $HTTPD -k start -DSSL
    ERROR=$?
    ;;
configtest)
    $HTTPD -t
    ERROR=$?
    ;;
status)
    $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
    ;;
fullstatus)
    $LYNX $STATUSURL
    ;;
*)
    $HTTPD $ARGV
    ERROR=$?
esac

exit $ERROR