Re: [users@httpd] suexec with mod_chroot: "command not in docroot "

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 20 July 2005 17:12, Gold, Samuel (Contractor) wrote:

> Cwd is current working directory, it is an environment variable.  At least
> from what I understand.  I am not sure what dwd is though.  Have you tried
> to use truss or strace to see if you are missing a command in your chrooted
> environment?  What OS are you using?

I've used makejail to make sure that all libs are there. It does not seem to 
be a lib thing IMHO.

I find it interesting what Joshua writes:
> Your problem is probably that getcwd is returning the full
> (non-chrooted) path to AP_DOC_ROOT inside the jail.  I don't know how
> to get around that.

Does anybody have a idea, how I could test for that?

My other plan is to try sbox - it may handle the situation better.

Now, I'm rebuilding the Ubuntu apache2 package from source (the second time), 
with a more informative error message (outputting dwd).

Let's see.

>
> -----Original Message-----
> From: dAniel hAhler [mailto:apache-users@xxxxxxxxxx]
> Sent: Wednesday, July 20, 2005 12:58 AM
> To: users@xxxxxxxxxxxxxxxx
> Subject: [users@httpd] suexec with mod_chroot: "command not in docroot"
>
>
> Hi,
>
> I've installed mod_chroot for Apache (2.0.53-Ubuntu), but have now problems
> with suexec complaining:
>
> [2005-07-20 06:28:13]: uid: (1003/xxxxx) gid: (1003/1003) cmd:
> php4-fcgi-starter
> [2005-07-20 06:28:13]: command not in docroot
> (/fcgi-scripts/web2/php4-fcgi-starter)
>
> php4-fcgi-starter is a script that should start php-fcgi (I'm using
> mod_fastcgi).
>
> My suexec-docroot is "/", because of mod_chroot:
> # /usr/lib/apache2/suexec2 -V
>  -D AP_DOC_ROOT="/"
>  -D AP_GID_MIN=100
>  -D AP_HTTPD_USER="www-data"
>  -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
>  -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
>  -D AP_UID_MIN=100
>  -D AP_USERDIR_SUFFIX="public_html"
>
> Therefor I have rebuild the Ubuntu package from source (got the error
> "cannot
> get docroot information (/var/www)" before).
>
> From suexec.c it is this part that throws the error:
>    if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
>         log_err("command not in docroot (%s/%s)\n", cwd, cmd);
>         exit(114);
>     }
>
> I'm not sure, what cwd and dwd are set to, but it errors here.. :(
>
> btw: this error message should be changed into something more verbose:
> log_err("command (%s/%s) not in docroot (%s)\n", cwd, cmd, dwd); like some
> of the others, too.
>
> It is really frustrating and would be much easier in my humble opinion, if
> suexec would have a chroot() functianality.
>
> Do you have any suggestions? Is it a bug in suexec?
>
> Thanks for any ideas and suggestions.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info. To
> unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux