headers
David Fletcher | 11 Jul 20:34
Picon
Favicon

Chroot and name resolution with PHP

Hi,

I'm using mod_security-1.8.3, with Apache httpd-2.0.50 and PHP 4.3.7 on
Slackware linux.

In one of my PHP scripts I use the fsockopen function, which requires a
name (e.g www.example.com) to be resolved. This works fine if I do not use
the chroot capabilities of mod_security. However, with the chroot running,
I get errors like 

Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name
or service not known

Adding these files to the chroot gets rid of the problem:

/chroot/apache/lib/libnss_dns.so.2
/chroot/apache/libnss_files.so.2
/chroot/apache/libresolv.so.2
/chroot/apache/etc/resolv.conf

Everything else in the chroot work really well using mod_security, without
having to find all the libraries and put them in the chroot. That's what I
really like about mod_security!

Is there some way to avoid the need to put these name resolution libraries
in the chroot?

Thanks for any help,

David Fletcher.

--

-- 
-------------------------------------------------
Email: David at megapico dot co dot uk
-------------------------------------------------

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 11 Jul 21:02

Re: Chroot and name resolution with PHP

*



David Fletcher wrote:
> Hi,
> 
> I'm using mod_security-1.8.3, with Apache httpd-2.0.50 and PHP 4.3.7 on
> Slackware linux.
> 
> In one of my PHP scripts I use the fsockopen function, which requires a
> name (e.g www.example.com) to be resolved. This works fine if I do not use
> the chroot capabilities of mod_security. However, with the chroot running,
> I get errors like 
> 
> Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name
> or service not known
> 
> Adding these files to the chroot gets rid of the problem:
> 
> /chroot/apache/lib/libnss_dns.so.2
> /chroot/apache/libnss_files.so.2
> /chroot/apache/libresolv.so.2
> /chroot/apache/etc/resolv.conf
> 
> Everything else in the chroot work really well using mod_security, without
> having to find all the libraries and put them in the chroot. That's what I
> really like about mod_security!
> 
> Is there some way to avoid the need to put these name resolution libraries
> in the chroot?


  I don't think so. PHP probably initializes its library only after
  chroot takes place so the files do have to be there for it to
  work.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Permalink | Reply | 0 comments |

Gmane