David Fletcher | 11 Jul 20:34 2004
Picon

Chroot and name resolution with PHP

Hi,

I'm using mod_security-1.8.3, with Apache httpd-2.0.50 and PHP 4.3.7 on
Slackware linux.

In one of my PHP scripts I use the fsockopen function, which requires a
name (e.g www.example.com) to be resolved. This works fine if I do not use
the chroot capabilities of mod_security. However, with the chroot running,
I get errors like 

Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name
or service not known

Adding these files to the chroot gets rid of the problem:

/chroot/apache/lib/libnss_dns.so.2
/chroot/apache/libnss_files.so.2
/chroot/apache/libresolv.so.2
/chroot/apache/etc/resolv.conf

Everything else in the chroot work really well using mod_security, without
having to find all the libraries and put them in the chroot. That's what I
really like about mod_security!

Is there some way to avoid the need to put these name resolution libraries
in the chroot?

Thanks for any help,

David Fletcher.
(Continue reading)

Ivan Ristic | 11 Jul 21:02 2004

Re: Chroot and name resolution with PHP

David Fletcher wrote:
> Hi,
> 
> I'm using mod_security-1.8.3, with Apache httpd-2.0.50 and PHP 4.3.7 on
> Slackware linux.
> 
> In one of my PHP scripts I use the fsockopen function, which requires a
> name (e.g www.example.com) to be resolved. This works fine if I do not use
> the chroot capabilities of mod_security. However, with the chroot running,
> I get errors like 
> 
> Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name
> or service not known
> 
> Adding these files to the chroot gets rid of the problem:
> 
> /chroot/apache/lib/libnss_dns.so.2
> /chroot/apache/libnss_files.so.2
> /chroot/apache/libresolv.so.2
> /chroot/apache/etc/resolv.conf
> 
> Everything else in the chroot work really well using mod_security, without
> having to find all the libraries and put them in the chroot. That's what I
> really like about mod_security!
> 
> Is there some way to avoid the need to put these name resolution libraries
> in the chroot?

  I don't think so. PHP probably initializes its library only after
  chroot takes place so the files do have to be there for it to
(Continue reading)


Gmane