To clarify what i would like to achieve i paste post i sent to modperl mlist: -------------------------------------------------------------------- Hello all, is there a way to chroot execution of perl script within apache? Basically what I would like to achieve is like this: There are users on the system and these users have their homedirs - as usual. Within these homedirs they have domain directories which hold files for assigned domains and every domain dir has it's own cgi-bin directory, eg: /home /home/user01 /home/user01/domain01.com /home/user01/domain01.com/cgi-bin /home/user01/domain02.com /home/user01/domain02.com/cgi-bin /home/user01/domain03.com /home/user01/domain03.com/cgi-bin /home/user02 /home/user02/domain04.com /home/user02/domain04.com/cgi-bin /home/user02/domain05.com /home/user02/domain05.com/cgi-bin /home/user02/domain06.com /home/user02/domain06.com/cgi-bin /home/user02/domain07.com /home/user02/domain07.com/cgi-bin etc. Now i would like to chroot execution of cgi's for domain01, domain02 and domain03 to /home/user01 and likewise for domain04, domain05, domain06 and domain07 to /home/user02. Therefore apache's srm.conf entries should look somewhat like this (note the CGIChroot directive): <VirtualHost *> CGIChroot /home/user01 DocumentRoot /home/user01/domain01.com ServerName domain01.com CustomLog logs/domain01.com.access.log combined </VirtualHost> <VirtualHost *> CGIChroot /home/user02 DocumentRoot /home/user02/domain04.com ServerName domain04.com CustomLog logs/domain04.com.access.log combined </VirtualHost> Now my question: is this by any means possible to achieve? Could invocation of perl be done through some setuid root program which would chroot to given directory first (assuming perl and neccesary libraries are installed in every user's homedir), drop privileges back to apache-default or whatever specified and execute the cgi script? -------------------------------------------------------------------- On Monday 19 of January 2004 10:45, Joao Schim wrote: > No, of course it doesn't, > > We don't want to run all httpd children as root do we ? > Then the safety level gained with chroot() is lost by the > fact you run as root. chroot() is easily broken by root > anyway, so you end up with a really false sense of security. > > Regards, > > Joao > > On Mon, 19 Jan 2004 03:09:33 +0100 > > "Bostjan Skufca (at) domenca.com" <bostjan.skufca@xxxxxxxxxxx> wrote: > > it doesn't fit per-vhost requirement > > > > On Saturday 17 of January 2004 13:33, Joao Schim wrote: > > > Maybe this can help you ? > > > > > > http://www.devet.org/apache/chroot/ > > > > > > Kind regards, > > > > > > Joao Schim > > > > > > On Sat, 17 Jan 2004 04:45:24 +0100 > > > > > > "Bostjan Skufca (at) domenca.com" <bostjan.skufca@xxxxxxxxxxx> wrote: > > > > Hello all, > > > > > > > > can anybody give me some hint about chrooting execution of cgi script > > > > invoked through apache? > > > > I would like to achieve this on per-virtual-host basis so every > > > > virtual host would have different root dir to which it would chroot > > > > execution of it's cgi scripts. If the price is perl installation in > > > > every chroot jail so be it. > > > > > > > > Best regards, > > > > > > > > Bostjan Skufca > > > > > > > > - > > > > : send the line "unsubscribe > > > > linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > > Best regards, > > > > Bostjan Skufca > > system administrator > > > > Domenca d.o.o. > > Phone: +386 4 5835444 > > Fax: +386 4 5831999 > > http://www.domenca.com -- Best regards, Bostjan Skufca system administrator Domenca d.o.o. Phone: +386 4 5835444 Fax: +386 4 5831999 http://www.domenca.com - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
