chrooting apache

[Barnaby W. Füi]

i've been reading stuff about chrooting apache, and it seems that the consensus is basically that apache is not all that conducive to chroot. it needs to get at alot of things, and i plan on using mod_php4, mod_python and perhaps mod_perl and shell cgi, so i'm not sure if should do it at all. openbsd now does by default, and their docs have given me the most useful info (this is on netbsd, and most info i've found is for linux) - however their docs also pretty much state that if you want anything beyond simplicity, it might not be the best idea to chroot apache.

http://www.openbsd.org/faq/faq10.html#httpdchroot

and of you guys done this before?

and what about systrace? i recall it being stated that its *possible* to use systrace to let apache bind to port 80 as the httpd user, but is this actually being done yet? doesn't apache pretty much always expect to be started as root?

edit:
for example i see here that even the systrace people dont seem to be using systrace to let apache run as non-root, instead they just limit its access to other things. shouldnt you be able to do

native-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit as root (and then run as regular user)
instead of just
native-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit (and run as root)

?

 

[n0cmonkey]

Originally posted by: BingBongWongFooey
i've been reading stuff about chrooting apache, and it seems that the consensus is basically that apache is not all that conducive to chroot. it needs to get at alot of things, and i plan on using mod_php4, mod_python and perhaps mod_perl and shell cgi, so i'm not sure if should do it at all. openbsd now does by default, and their docs have given me the most useful info (this is on netbsd, and most info i've found is for linux) - however their docs also pretty much state that if you want anything beyond simplicity, it might not be the best idea to chroot apache.

http://www.openbsd.org/faq/faq10.html#httpdchroot

and of you guys done this before?

I have a couple of OpenBSD 3.2 machines I can test a couple of things out on or look at how they did it for you if you need it.

and what about systrace? i recall it being stated that its *possible* to use systrace to let apache bind to port 80 as the httpd user, but is this actually being done yet? doesn't apache pretty much always expect to be started as root?

Privilege elevation in the latest systrace should work. I would need -current to use it in OpenBSD.

edit:
for example i see here that even the systrace people dont seem to be using systrace to let apache run as non-root, instead they just limit its access to other things. shouldnt you be able to do

native-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit as root (and then run as regular user)
instead of just
native-bind: sockaddr eq "inet-[0.0.0.0]:80" then permit (and run as root)

?

Id have to look at the docs, and since I dont have a -current machine I cant test it out (maybe this weekend Ill install a snapshow for sparc or sparc64), but you should be able to. I think the examples on the site are very basic examples and dont restrict *too* much for simplicity's sake.

 

[Barnaby W. Füi]

I have a couple of OpenBSD 3.2 machines I can test a couple of things out on or look at how they did it for you if you need it.

i think i'm going to look at systrace, and possibly use it, but i definitely dont think i'm going to try to chroot it anymore.

Privilege elevation in the latest systrace should work. I would need -current to use it in OpenBSD.

hm, yeah, same deal (it seems) with netbsd. at this point i dont think i'm comfortable with building -current, plus i am pretty bogged down just trying to move everything back onto the firewall after this install, and get everything back up and operational. if i can't use systrace in 1.6, i probably wont be using it, unfortunately.

 

[n0cmonkey]

Originally posted by: BingBongWongFooey
I have a couple of OpenBSD 3.2 machines I can test a couple of things out on or look at how they did it for you if you need it.

i think i'm going to look at systrace, and possibly use it, but i definitely dont think i'm going to try to chroot it anymore.

Privilege elevation in the latest systrace should work. I would need -current to use it in OpenBSD.

hm, yeah, same deal (it seems) with netbsd. at this point i dont think i'm comfortable with building -current, plus i am pretty bogged down just trying to move everything back onto the firewall after this install, and get everything back up and operational. if i can't use systrace in 1.6, i probably wont be using it, unfortunately.

Does NetBSD offer snapshots? Thats my plan for OpenBSD isntead of trying to build -current myself.

 

[Barnaby W. Füi]

Originally posted by: n0cmonkey

Originally posted by: BingBongWongFooey
I have a couple of OpenBSD 3.2 machines I can test a couple of things out on or look at how they did it for you if you need it.

i think i'm going to look at systrace, and possibly use it, but i definitely dont think i'm going to try to chroot it anymore.

Privilege elevation in the latest systrace should work. I would need -current to use it in OpenBSD.

hm, yeah, same deal (it seems) with netbsd. at this point i dont think i'm comfortable with building -current, plus i am pretty bogged down just trying to move everything back onto the firewall after this install, and get everything back up and operational. if i can't use systrace in 1.6, i probably wont be using it, unfortunately.

Does NetBSD offer snapshots? Thats my plan for OpenBSD isntead of trying to build -current myself.

hm, shows how much i know

a little searching and i found them

edit:

kern-GENERIC.MP.tgz

damn, i need to get around to flashing the bios on this thing and trying that out

 

[n0cmonkey]

Originally posted by: BingBongWongFooey

Originally posted by: n0cmonkey

Originally posted by: BingBongWongFooey
I have a couple of OpenBSD 3.2 machines I can test a couple of things out on or look at how they did it for you if you need it.

i think i'm going to look at systrace, and possibly use it, but i definitely dont think i'm going to try to chroot it anymore.

Privilege elevation in the latest systrace should work. I would need -current to use it in OpenBSD.

hm, yeah, same deal (it seems) with netbsd. at this point i dont think i'm comfortable with building -current, plus i am pretty bogged down just trying to move everything back onto the firewall after this install, and get everything back up and operational. if i can't use systrace in 1.6, i probably wont be using it, unfortunately.

Does NetBSD offer snapshots? Thats my plan for OpenBSD isntead of trying to build -current myself.

hm, shows how much i know

a little searching and i found them

edit:

kern-GENERIC.MP.tgz

damn, i need to get around to flashing the bios on this thing and trying that out

MP being Multi Processor? I could check the link, but Im lazy

 

[Barnaby W. Füi]

Originally posted by: n0cmonkey

Originally posted by: BingBongWongFooey

Originally posted by: n0cmonkey

Originally posted by: BingBongWongFooey
I have a couple of OpenBSD 3.2 machines I can test a couple of things out on or look at how they did it for you if you need it.

i think i'm going to look at systrace, and possibly use it, but i definitely dont think i'm going to try to chroot it anymore.

Privilege elevation in the latest systrace should work. I would need -current to use it in OpenBSD.

hm, yeah, same deal (it seems) with netbsd. at this point i dont think i'm comfortable with building -current, plus i am pretty bogged down just trying to move everything back onto the firewall after this install, and get everything back up and operational. if i can't use systrace in 1.6, i probably wont be using it, unfortunately.

Does NetBSD offer snapshots? Thats my plan for OpenBSD isntead of trying to build -current myself.

hm, shows how much i know

a little searching and i found them

edit:

kern-GENERIC.MP.tgz

damn, i need to get around to flashing the bios on this thing and trying that out

MP being Multi Processor? I could check the link, but Im lazy

yeah, smp has been in -current for a while, for a handful of arch's, i suppose we will see it standard in 1.7 (??) wonder how long that will be...

and this tiger mp has an early version bios, so it doesnt support dual durons, and with no floppy drives hooked up anywhere, and the only windows machine being booted into netbsd for however many weeks now, well, it just doesnt get done 1x1300mhz doesnt exactly seem slow though, that's why i havent gotten around to it.

 

[n0cmonkey]

Originally posted by: BingBongWongFooey
yeah, smp has been in -current for a while, for a handful of arch's, i suppose we will see it standard in 1.7 (??) wonder how long that will be...

Probably a while. BSD dev is slow and generally meticulous, especially in the "lesser" BSDs.

and this tiger mp has an early version bios, so it doesnt support dual durons, and with no floppy drives hooked up anywhere, and the only windows machine being booted into netbsd for however many weeks now, well, it just doesnt get done 1x1300mhz doesnt exactly seem slow though, that's why i havent gotten around to it.

I should check the BIOS rev on my Tiger... Maybe a flash would fix the ECC lockup problem. I think Im also going to look for a cheap old SMP machine for NetBSD, maybe a sparcstation 20 or something. It could be fun.

 

[n0cmonkey]

Here is a quick and dirty article on systrace. I havent read it yet, but general opinion is good.