Thread: [mod-security-users] DocumentRoot path
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Julius S. <us...@zg...> - 2005-04-13 21:56:29
|
Hi, I'm trying to chroot my Apache 2 server. I've added this to my httpd.conf: # mod_security stuff SecChrootDir /chroot/apache And I moved the directory /var/www to /chroot/apache/var/www When I try to start Apache, I now get the following error message though: Starting httpd daemon: /usr/sbin/apachectl start Syntax error on line 357 of /etc/apache2/httpd.conf: DocumentRoot must be a directory Am I doing something wrong? I would expect I would only need to specify the path within the chroot environment. Do I need to specify the full path instead? Thanks in advance, Julius |
|
From: Alex <al...@ss...> - 2005-04-14 00:33:14
|
On Wed, 2005-04-13 at 22:52 +0200, Julius Schwartzenberg wrote: > Hi, > I'm trying to chroot my Apache 2 server. > I've added this to my httpd.conf: > # mod_security stuff > SecChrootDir /chroot/apache >=20 > And I moved the directory /var/www to /chroot/apache/var/www >=20 > When I try to start Apache, I now get the following error message though: > Starting httpd daemon: /usr/sbin/apachectl start > Syntax error on line 357 of /etc/apache2/httpd.conf: > DocumentRoot must be a directory >=20 > Am I doing something wrong? I would expect I would only need to specify=20 > the path within the chroot environment. Do I need to specify the full=20 > path instead? >=20 > Thanks in advance, > Julius >=20 Just do : ln -s /chroot/apache/var/www /var/www It should be working after that Alex V |
|
From: Julius S. <us...@zg...> - 2005-04-14 08:52:10
|
Alex wrote: > On Wed, 2005-04-13 at 22:52 +0200, Julius Schwartzenberg wrote: > >>Hi, >>I'm trying to chroot my Apache 2 server. >>I've added this to my httpd.conf: >># mod_security stuff >>SecChrootDir /chroot/apache >> >>And I moved the directory /var/www to /chroot/apache/var/www >> >>When I try to start Apache, I now get the following error message though: >>Starting httpd daemon: /usr/sbin/apachectl start >>Syntax error on line 357 of /etc/apache2/httpd.conf: >>DocumentRoot must be a directory >> >>Am I doing something wrong? I would expect I would only need to specify >>the path within the chroot environment. Do I need to specify the full >>path instead? >> >>Thanks in advance, >>Julius >> > > > Just do : ln -s /chroot/apache/var/www /var/www > > It should be working after that > > Alex V I understand. Is there any way to check then if it really is chrooted? This also seems to be a work-around. Is this known problem with mod_security? Julius |
|
From: Ivan R. <iv...@we...> - 2005-04-14 11:20:26
|
Julius Schwartzenberg wrote: > Alex wrote: > >> Just do : ln -s /chroot/apache/var/www /var/www >> >> It should be working after that >> >> Alex V > > > I understand. Is there any way to check then if it really is chrooted? There will be two messages in the error log. Also, I think mod_security exists if chroot fails. To be sure, why don't you create an empty /var/www? That way, you will only see the content if the chroot is successful. > This also seems to be a work-around. Is this known problem with > mod_security? No, not really. It's a drawback of the approach, and the fact was not built to support an internal chroot. Therefore it performs some actions before the chroot and some after. There's nothing we can do about that. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Julius S. <us...@zg...> - 2005-04-14 14:26:37
|
Ivan Ristic wrote: >> I understand. Is there any way to check then if it really is chrooted? > > > There will be two messages in the error log. Also, I think > mod_security exists if chroot fails. > > To be sure, why don't you create an empty /var/www? That way, > you will only see the content if the chroot is successful. Good idea :) > >> This also seems to be a work-around. Is this known problem with >> mod_security? > > > No, not really. It's a drawback of the approach, and the fact > was not built to support an internal chroot. Therefore it > performs some actions before the chroot and some after. There's > nothing we can do about that. > I understand. Now when I run the server with the module, I get the following errors in my logs though when I try to access the server: [Thu Apr 14 16:02:01 2005] [notice] child pid 3787 exit signal Segmentation fault (11) [Thu Apr 14 16:02:02 2005] [notice] child pid 3788 exit signal Segmentation fault (11) [Thu Apr 14 16:03:05 2005] [notice] child pid 3789 exit signal Segmentation fault (11) [Thu Apr 14 16:03:36 2005] [notice] child pid 3790 exit signal Segmentation fault (11) The client recieves an empty page. When I do not use the module, everything seems to work correctly though. Did I forgot anything? Thanks, Julius |
|
From: Ivan R. <iv...@we...> - 2005-04-15 08:27:00
|
Julius Schwartzenberg wrote: > > Now when I run the server with the module, I get the following errors in > my logs though when I try to access the server: > [Thu Apr 14 16:02:01 2005] [notice] child pid 3787 exit signal > Segmentation fault (11) > [Thu Apr 14 16:02:02 2005] [notice] child pid 3788 exit signal > Segmentation fault (11) > [Thu Apr 14 16:03:05 2005] [notice] child pid 3789 exit signal > Segmentation fault (11) > [Thu Apr 14 16:03:36 2005] [notice] child pid 3790 exit signal > Segmentation fault (11) > > The client recieves an empty page. When I do not use the module, > everything seems to work correctly though. > > Did I forgot anything? I don't think so. My guess is your web server/application requires something that is not present in the jail. But it's not telling you what, choosing to just crash instead. It's the reason people hate chroot as much as they do. There is no easy way around it. Read the chroot part of my book for a step-by-step guide how to troubleshoot the problem: http://www.apachesecurity.net/download/apachesecurity-ch02.pdf -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X