Re: chroot of apache's cgi execution

["Bostjan Skufca (at) domenca.com" <bostjan.skufca@domenca.com>]

To clarify what i would like to achieve i paste post i sent to modperl mlist:

--------------------------------------------------------------------
Hello all,

is there a way to chroot execution of perl script within apache?

Basically what I would like to achieve is like this:
There are users on the system and these users have their homedirs - as usual. 
Within these homedirs they have domain directories which hold files for 
assigned domains and every domain dir has it's own cgi-bin directory, eg:

/home
/home/user01
/home/user01/domain01.com
/home/user01/domain01.com/cgi-bin
/home/user01/domain02.com
/home/user01/domain02.com/cgi-bin
/home/user01/domain03.com
/home/user01/domain03.com/cgi-bin
/home/user02
/home/user02/domain04.com
/home/user02/domain04.com/cgi-bin
/home/user02/domain05.com
/home/user02/domain05.com/cgi-bin
/home/user02/domain06.com
/home/user02/domain06.com/cgi-bin
/home/user02/domain07.com
/home/user02/domain07.com/cgi-bin
etc.

Now i would like to chroot execution of cgi's for domain01, domain02 and 
domain03 to /home/user01 and likewise for domain04, domain05, domain06 and 
domain07 to /home/user02.

Therefore apache's srm.conf entries should look somewhat like this (note the 
CGIChroot directive):

<VirtualHost *>
CGIChroot /home/user01
DocumentRoot /home/user01/domain01.com
ServerName domain01.com
CustomLog logs/domain01.com.access.log combined
</VirtualHost>

<VirtualHost *>
CGIChroot /home/user02
DocumentRoot /home/user02/domain04.com
ServerName domain04.com
CustomLog logs/domain04.com.access.log combined
</VirtualHost>

Now my question: is this by any means possible to achieve? Could invocation of 
perl be done through some setuid root program which would chroot to given 
directory first (assuming perl and neccesary libraries are installed in every 
user's homedir), drop privileges back to apache-default or whatever specified 
and execute the cgi script?
--------------------------------------------------------------------



On Monday 19 of January 2004 10:45, Joao Schim wrote:
> No, of course it doesn't,
>
> We don't want to run all httpd children as root do we ?
> Then the safety level gained with chroot() is lost by the
> fact you run as root. chroot() is easily broken by root
> anyway, so you end up with a really false sense of security.
>
> Regards,
>
> Joao
>
> On Mon, 19 Jan 2004 03:09:33 +0100
>
> "Bostjan Skufca (at) domenca.com" <bostjan.skufca@domenca.com> wrote:
> > it doesn't fit per-vhost requirement
> >
> > On Saturday 17 of January 2004 13:33, Joao Schim wrote:
> > > Maybe this can help you ?
> > >
> > > http://www.devet.org/apache/chroot/
> > >
> > > Kind regards,
> > >
> > > Joao Schim
> > >
> > > On Sat, 17 Jan 2004 04:45:24 +0100
> > >
> > > "Bostjan Skufca (at) domenca.com" <bostjan.skufca@domenca.com> wrote:
> > > > Hello all,
> > > >
> > > > can anybody give me some hint about chrooting execution of cgi script
> > > > invoked through apache?
> > > > I would like to achieve this on per-virtual-host basis so every
> > > > virtual host would have different root dir to which it would chroot
> > > > execution of it's cgi scripts. If the price is perl installation in
> > > > every chroot jail so be it.
> > > >
> > > > Best regards,
> > > >
> > > > Bostjan Skufca
> > > >
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe
> > > > linux-admin" in the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> > --
> > Best regards,
> >
> > Bostjan Skufca
> > system administrator
> >
> > Domenca d.o.o.
> > Phone: +386 4 5835444
> > Fax: +386 4 5831999
> > http://www.domenca.com

-- 
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o. 
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com