Re: new version of mod_chroot...

mod_chroot and Apache 2.2.8 on FreeBSD 6.2

Hello,

I try to get mod_chroot working on my FreeBSD Box with Apache 2.2.8 but 
it doesnt work.

Here is the part of my httpd.conf without mod_chroot:

ServerRoot "/usr/local"
DocumentRoot "/usr/local/www/apache22/data"

after mod_chroot:

ServerRoot "/usr/local"
ChrootDir "/usr/local"
DocumentRoot "/"
PidFile "/httpd.pid"

the rest is unchanged.

My websides are in the directories:

/usr/local/www/side1
/usr/local/www/side2

So I changed in my vhosts.conf the DocumentRoot to "/side1" and so on.

No I start the apache Webserver.

Apachectl tells me:

Warning: DocumentRoot [/side1] does not exist

The logfile of my apache says:

[Thu Apr 03 09:35:07 2008] [notice] Apache/2.2.8 (FreeBSD) PHP/5.2.5 
with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.7e-p1 mod_chroot/0.5 
configured -- resuming normal operations
[Thu Apr 03 09:35:07 2008] [info] Server built: Mar  5 2008 14:13:59
[Thu Apr 03 09:35:07 2008] [debug] prefork.c(991): AcceptMutex: flock 
(default: flock)
[Thu Apr 03 09:35:43 2008] [crit] (2)No such file or directory: 
mod_rewrite: could not init rewrite log lock in child

and the logfile of my virtual host says:

[Thu Apr 03 09:35:42 2008] [error] [client 62.159.94.122] client denied 
by server configuration: /side1/

the sides are owned by www.

Where is my fault?

Regards,

Soeren

Re: [info <at> ch2o.info] Re: new version of mod_chroot...

info <at> ch2o.info wrote:
>> 1. It makes mod_chroot much more complicated and error-prone. It
>> also changes mod_chroot behavior: it's now directly involved in
>> request processing, creating big additional risk.
> [Mathieu CARBONNEAUX] You can can desactivate the path translation
> (ChrootFixRoot no) to work like the current version but with the
> advantage of the chrooting in child_init (this not require the path
> translation) phase (pid file, lockfile, scoreboard file are made
> outside the chroot and the apache reload work!).
> 
> Also it possible to rename ChrootFixRoot with
> ChrootPathTranslation...
> 
> If it's deactivated no work are done in request processing...
> 
> But with the constraint of the documentroot directory existance check
> that are done before chroot (problem already existing in current
> version, is one of the problem that the path translation adresse)...
I understand that. I just don't really like the solution :)
> 
>> It also breaks Apache's behavior people are used to: suddenly order
>> of configuration directives matters (DocumentRoot before
>> ChrootDir...).
>> 
> [Mathieu CARBONNEAUX] you dont need to set documentroot before
> chrootdir if you set directly the path in chrootdir!! (if you not use
> the vars:DOCUMENT_ROOT with chrootdir)
> 
> and you can use documentroot in virtualhost, it's work fine also (all
> are translated with the current document_root, and it's reseted by
> apache at each request...)...chrootdir use only the globale
> documentroot if you use vars:document__root...
But you still can't have different ChrootDirs for different virtual
hosts... So basically your "var:..." expression is evaluated only once.
I believe it's better to enter the path directly and have less code.

>> 2. It doesn't actually make things much easier: while altering 
>> virtual-to-physical mapping hides the fact we're chrooted, it
>> doesn't help PHP/Perl/CGI scripts. Users can get confused; I prefer
>> to have the user thoroughly understand what's going on BEFORE
>> things start to work, not at some random moment in the future.
> [Mathieu CARBONNEAUX] If the application (the mod_php/perl/...
> application) receve the real path in the chroot. is a problem ? the
> developper need only to take care of absolute path set in her code
> (like path stored in configuration file), all path are send to
> php/perl by apache are real path inside the jail! And can be directly
> used by the code...
Apache does not really send paths to scripts. It passes the script path
to the interpreter, but if the script needs to use an absolute path, it
needs to take the jail into account.
> CGI are not realy fast option to execute dynamique application... :) 
> And is so complex to make in place, you must copy all necessary
> library in the chroot... all the benefit of the mod_chroot idea are
> loosed...
You would be surprised how many big, commercial applications run as CGI...

>> 4. It's contains unnecessary code. While I understand your joy in 
>> implementing "var:" prefix for ChrootDir, I believe it's better not
>> to have extra 34 lines of code at the cost of repeating exactly ONE
>> path in httpd.conf. In other words,
>> 
>> DocumentRoot /var/www ChrootDir /var/www
>> 
>> (or other way around!) is much better than
>> 
>> DocumentRoot /var/www ChrootDir var:DOCUMENT_ROOT +extra code 
>> +spurious error when they appear in different order
>> 
> [Mathieu CARBONNEAUX] It's only facility... :)
Please, please, understand that more code doesn't mean better code. It
usually means *worse* code. It means more bug possibilities. We could
add thousands of features to mod_chroot, but we don't, because they fit
better elsewhere...
>> I also believe rlimit checks are not necessary. If coredump size
>> limit is set to zero, we should accept it. It's not our business.
>> It's definitely not worth the cost of adding autoconf to the mix...
>> 
>> 
> [Mathieu CARBONNEAUX] It's check to verify if try to use
> coredumpdirectory with core ulimit set to 0 (the default case of
> suse!)... apache say nothing in this case... and no dump done wihtout
> information of apache why...
> 
> With this check apache stop at starting with error if you use
> coredumpdirectory (if you set this directive is why you need to dump!
> And you need to have max dump size >0!) with dump size to 0...
I read your code and I understand why you wrote those checks. I just
happen to think it's not our business. I mean - Apache doesn't check it
for itself, why should WE put this check to mod_chroot, which IS NOT
meant to have anything to do with coredumps?!?
:)
We could also check if all files in DocumentRoot are readable, if the 
partition holding coredumps has enough space to store coredumps, if the 
directory is writable, etc, etc, etc. But it's not our business.

>> 5. While solving the pidfile problem is really cool, I don't really
>> like the way it's done. Dear list, what do you think?
> [Mathieu CARBONNEAUX] The good whay is to add new hook to apache
> before unixd_setup_child... It's the way i would like to suggest to
> add in ap 2.x dev trunk in the apache dev list.
That would be a nice and clean solution. And it's backwards 
compatible... But it would only make sense for Apache 2.0/2.2, see below.

> But for all existing apache binary installlation (specialy in
> enterprise situation) where is not possible to recompile apache
> code... this way are the only way to do...
> 
> because ap child_init hook occure after apache as set the uid with
> setuid!
> 
> And chroot can only made in uid root...
> 
> is why i fake apache by setting the uid to 0 (root) after apache
> config (post_config phase) in the last phase before child fork (the
> "pre_mpm" hook  are juste before child fork, in that lat other apache
> module to modify uid before i save it!) in that way the
> unixd_setup_child make setuid(0) in place of setuid(the uid) and in
> the "child_init hook" i can make the chroot (beceause i'm root!) the
> child (and only the child not the master process) and reestablish the
> desired uid and late apache to continue normaly...
Again, I understand your reasons, but I don't agree it's the only way.
We can leave things as they are now, and refrain from messing with
Apache's internal variables.

Good news for all of us: next version of Apache (2.4) will support 
chroot()ing out of the box!

regards,
--

-- 
Marek Gutkowski

Re: [info <at> ch2o.info] Re: new version of mod_chroot...

Mathieu CARBONNEAUX wrote:
> Hi all,
> 
> complet rewrit version...
> 
> 
> transparantly rewrite all file path internaly in apache like mod_alias 
> to fake all programme and module of apache.
> with that you don't need to trick with document root in chroot and 
> outside chroot...
> 
> also fake coredumpdirectory...
> 
> all file (pid, lockfile, scoreboard...) created in mpm phase are created 
> outside the jail without probleme beceause the jail is setup at 
> child_init phase...
> 
> the only constraint is to setup documentroot dir in the path of the 
> chroot dir (also for coredumpdirectory)...
> all the rest is standard apache way!!!
Mathieu,

It's a little difficult to read your code, but I did, and it is, in 
fact, a complete rewrite. I don't like it. Here's why:

1. It makes mod_chroot much more complicated and error-prone. It also 
changes mod_chroot behavior: it's now directly involved in request 
processing, creating big additional risk.
It also breaks Apache's behavior people are used to: suddenly order of 
configuration directives matters (DocumentRoot before ChrootDir...).

2. It doesn't actually make things much easier: while altering 
virtual-to-physical mapping hides the fact we're chrooted, it doesn't 
help PHP/Perl/CGI scripts. Users can get confused; I prefer to have the 
user thoroughly understand what's going on BEFORE things start to work, 
not at some random moment in the future.

3. It breaks Apache 1.3 support. You completely removed Apache 1.3 code. 
I understand that's because YOU use Apache 2, but there are some Apache 
1.3 users out there ;)

4. It's contains unnecessary code. While I understand your joy in 
implementing "var:" prefix for ChrootDir, I believe it's better not to 
have extra 34 lines of code at the cost of repeating exactly ONE path in 
httpd.conf. In other words,

DocumentRoot /var/www
ChrootDir /var/www

(or other way around!) is much better than

DocumentRoot /var/www
ChrootDir var:DOCUMENT_ROOT
+extra code
+spurious error when they appear in different order

I also believe rlimit checks are not necessary. If coredump size limit 
is set to zero, we should accept it. It's not our business. It's 
definitely not worth the cost of adding autoconf to the mix...

5. While solving the pidfile problem is really cool, I don't really like 
the way it's done. Dear list, what do you think?

regards,
--

-- 
Marek Gutkowski

mod_perl and mod_chroot problemos

apache-2.2?

Hello

Any issues with mod_chroot-0.5 and apache-2.2?

Thanks!
hanji

Fw: Unable to get cURL/https + mod_chroot to work [SOLVED]

On Wed, 19 Sep 2007 23:33:34 +0200
Marek Gutkowski <hobbit <at> core.segfault.pl> wrote:

> hanji wrote:
> > Anyone? Anyone? 
> > 
> > I also discoverd that the cURL connection to 443 in fact works, but 
> > it takes approximately an hour??? It's crazy, but it's definitely
> > connecting to the site and is slowly able to retrieve information.
> > Again, removing mod_chroot and everything works fine, so there is
> > something definitely wrong with my chroot. 
> 
> Your /dev/urandom is actually /dev/random, which blocks if entropy is 
> not available. Create a good one (1, 9 - NOT 1,8).
> And please upgrade mod_chroot :)
> 
> regards,
> -- 
> Marek Gutkowski

Marek

Thank you thank you thank you!

changing urandom to 1,9 did the trick!!! I don't have /dev/random
anywhere, so I stuck with urandom. I'll update mod_chroot tonight as
well. 0.5 is available in Gentoo portage.

Thanks!!!!!!!
hanji

Unable to get cURL/https + mod_chroot to work

Hello All

I'm running out of options, and I'm hoping that someone on this list
can help solve my problem. My problem is this. With mod_chroot and
cURL, I'm unable to connect to a server over SSL. If I restart apache
without mod_chroot, then everything works great. I've posted info at
the cURL mailing list, along with other forums to help get this solved,
but not getting much response. I'm hoping that someone here already has
addressed this, since it might be simple solution like missing files in
the jail.

What happens when I try to connect with a PHP app, is a perpetual
hang.  It doesn't seem to ever time out and die. I have strace
available with the specific area of the cURL call and the 443 connection here:
http://www.uno-code.com/files/curl.txt

The common cURL+chroot problems are usually about resolve and certs. I
do have a resolv.conf in the jail (/var/chroot/apache/etc/resolv.conf)
and the application seems to be able to do reverse look up, so that
looks good. Also I have the correct cURL certs in the jail
(/var/chroot/apache/etc/ssl/certs/ca-certificates.crt). I can't verify
that this is working 100%. I've hardcoded the ca path in my app, but
I'm unable to identify if it picks it up.. .or where things break.

Here is my recent post to cURL mailing list:
http://curl.haxx.se/mail/curlphp-2007-09/0037.html

Here is my original post (a while back) at cURL mailing list:
http://curl.haxx.se/mail/curlphp-2007-04/0023.html

My relevant packages (Gentoo Linux System)
mod_chroot-0.4
curl-7.16.4
php-4.4.8_pre20070816
apache-2.0.59-r5

I look forward to a reply. Thanks in advance.
hanji

chroot and suexec

Hello,

I've a problem when using mod chroot with suexec... The binary isn't found !

My configuration : 

ChrootDir /home/apache

log error : No such file or directory: exec of '/home/apache/bin/suexec' failed

Where I can change the suexec path ? How it must be configured ?

Thanks for your help

using mod_chroot functions for extending mod_auth_mysql

Dear all, 

I have tried using the mod_chroot function 

cmd_chroot_dir 

to extend the mod_auth_mysql module. 

What is the story?
I have a site with a huge database of users. 
They need webdav service. 
I loaded the Apache 2.2.4 with the mod_dav, mod_dav_fs, mod_auth_mysql. 
Now I need to chroot users who login to webdav service via the mod_auth_mysql 
authentication mechanisms. 
Since this is a huge structure of subdirectories - I want mod_auth_mysql to 
reconstruct the user root path and to chroot the user to this dir when using 
webdav service. 

Anyway, I edited the mod_auth_mysql-3.0.0 that I got from the Fedora 7 
repository. 

I first edited mod_chroot.c and added 
#include "apr_optional.h"
APR_DECLARE_OPTIONAL_FN(const char *, cmd_chroot_dir, (cmd_parms *, void *, 
const char *));

and added
APR_REGISTER_OPTIONAL_FN(cmd_chroot_dir);

to register_hooks function

mod_chroot compiled well and apache started ok. 

then I edited the mod_auth_mysql.c and added:

APR_OPTIONAL_FN_TYPE(cmd_chroot_dir) *mchr_pfn_cmd_chroot = 
APR_RETRIEVE_OPTIONAL_FN (cmd_chroot_dir);

and called:
mchr_pfn_cmd_chroot(NULL, NULL,"2006/5/24/32301");

The webdav was set to open files/ directory, and 2006/5/24/32301 is a 
subdirectory of an existing user. I added this static path just for test 
purposes. 

This also compiled and the apache started ok. 

But when I logged onto webdav server the apache segfaulted. 

I'm not sure if I passed correct parameters to cmd_chroot_dir
Maybe I have to do something else before calling the cmd_chroot_dir?
Maybe I should pass a full path of the dir?

Is there anything you could advice to make this work?

Thanks
Milosh

Unable to get cURL/https + mod_chroot to work

Hello All

I'm new to the list and to mod_chroot. I'm running into a problem that
I'm hoping that someone will be able to help out. It's related to PHP's
cURL to https while in mod_chroot jail.

I've seen posts mentioning this:
http://curl.haxx.se/mail/curlphp-2005-10/0020.html

I've verified that I have /dev/null and /dev/urandom in the jail. I
also verfied that I have the /usr/share/curl/curl-ca-bundle.crt in the
jail as well.

My server is Gentoo based web server with the following packages
installed (just relating to the test)
kernel: 2.6.18-hardened-r6
www-apache/mod_chroot-0.4
net-www/apache-2.0.58-r2
dev-lang/php-4.4.6 
net-misc/curl-7.15.1-r1

When I execute the following curl test script (URLs and IPs have been
altered for this mailing list) the script will 'hang' forever without
completing. If I remove mod_chroot, then everything works as expected.

<?
$hostURL = "https://secure.test.com/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $hostURL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('User-Agent: test/a.b.c'));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($ch, CURLOPT_CAINFO, "/usr/share/curl/curl-ca-bundle.crt");
$result         = curl_exec ($ch);
curl_close ($ch);
echo $result
?>

I ran strace during this test.. and it appears that everything is
working fine, then it goes to perpetual waitpid since I don't have
timeout opt set. Any ideas on where to start looking?

Thanks in advance!
hanji

OUTPUT of strace:

14800 connect(35, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("66.219.xxx.xxx")}, 28) = 0 14800 fcntl64(35,
F_GETFL)              = 0x2 (flags O_RDWR) 14800 fcntl64(35, F_SETFL,
O_RDWR|O_NONBLOCK) = 0 14800 gettimeofday({1177440681, 741919}, NULL) =
0 14800 poll([{fd=35, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
14800 send(35, "\227\261\1\0\0\1\0\0\0\0\0\0\6secure\ftest"..., 41,
MSG_NOSIGNAL) = 41 14800 poll([{fd=35, events=POLLIN, revents=POLLIN}],
1, 5000) = 1 14800 ioctl(35, FIONREAD, [133])        = 0
14800 recvfrom(35, "\227\261\201\200\0\1\0\1\0\2\0\2\6secure\ftest"...,
1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("66.219.xxx.xxx")}, [16]) = 133 14800
close(35)                         = 0 14800
time(NULL)                        = 1177440681 14800
gettimeofday({1177440681, 744982}, NULL) = 0 14800
gettimeofday({1177440681, 745021}, NULL) = 0 14800 socket(PF_INET,
SOCK_STREAM, IPPROTO_IP) = 35 14800 futex(0xb7bdfa38, FUTEX_WAKE,
2147483647) = 0 14800 fcntl64(35, F_GETFL)              = 0x2 (flags
O_RDWR) 14800 fcntl64(35, F_SETFL, O_RDWR|O_NONBLOCK) = 0 14800
connect(35, {sa_family=AF_INET, sin_port=htons(443),
sin_addr=inet_addr("66.219.xxx.xxx")}, 16) = -1 EINPROGRESS (Operation
now in progress) 14800 poll([{fd=35, events=POLLOUT, revents=POLLOUT}],
1, 300000) = 1 14800 getsockopt(35, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
14800 gettimeofday({1177440681, 745726}, NULL) = 0 14800
gettimeofday({1177440681, 745763}, NULL) = 0 14800
stat64("/dev/urandom", {st_mode=S_IFCHR|0444, st_rdev=makedev(1,
8), ...}) = 0 14800 open("/dev/urandom", O_RDONLY)    = 36 14800
read(36, "\330K\17\266\236s\20\246", 1024) = 8 14800 read(36,
<unfinished ...> 13230 <... select resumed> )            = 0 (Timeout)
13230 clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7ab86f8) = 23583 13230 waitpid(-1,  <unfinished ...>
23583 rt_sigaction(SIGHUP, {0x8067f60, [], SA_INTERRUPT},
<unfinished ...> 13230 <... waitpid resumed> 0xbf9f96d8,
WNOHANG|WSTOPPED) = 0 23583 <... rt_sigaction resumed> {0x8067b30, [HUP
USR1], 0}, 8) = 0 13230 select(0, NULL, NULL, NULL, {1, 0}
<unfinished ...> 23583 rt_sigaction(SIGTERM, {0x8067f60, [],
SA_INTERRUPT}, {0x8067b10, [], 0}, 8) = 0 23583 rt_sigaction(SIGUSR1,
{SIG_IGN}, {0x8067b30, [HUP USR1], 0}, 8) = 0 23583
geteuid32()                       = 0 23583
setgid32(81)                      = 0 23583
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such
file or directory) 23583 open("/etc/group", O_RDONLY)      = 34 23583
fcntl64(34, F_GETFD)              = 0 23583 fcntl64(34, F_SETFD,
FD_CLOEXEC)  = 0 23583 _llseek(34, 0, [0], SEEK_CUR)     = 0 23583
fstat64(34, {st_mode=S_IFREG|0644, st_size=13, ...}) = 0 23583
mmap2(NULL, 13, PROT_READ, MAP_SHARED, 34, 0) = 0xb6f2d000 23583
_llseek(34, 13, [13], SEEK_SET)   = 0 23583 fstat64(34,
{st_mode=S_IFREG|0644, st_size=13, ...}) = 0 23583 munmap(0xb6f2d000,
13)            = 0 23583 close(34)                         = 0 23583
setgroups32(1, [81])              = 0 23583
geteuid32()                       = 0 23583
setuid32(81)                      = 0 23583
time(NULL)                        = 1177440681 23583 semop(2457603,
0xb7c91c0c, 1 <unfinished ...> 13230 <... select resumed> )
= 0 (Timeout) 13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)
13230 waitpid(-1, 0xbf9f96d8, WNOHANG|WSTOPPED) = 0
13230 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout)