Users (#3) - chroot capabilities (#2) - Message List

chroot capabilities

Time to get this forum started!

Typically when you chroot PHP there are problems with things like PHP mail() that relies on /usr/sbin/sendmail which it can no longer access. In note that these problems are not apparent when using peruser with it's built in chroot. In a way this is worrying and implies the chroot isn't really working as expected. Is there an explanation of what exactly the chroot in peruser does?

Thanks.

Andrew
08/28/09 06:34:15 (2 years ago)
Tree View Flat View (newer first) Flat View (older first)
  • Message #3

    i have seen the same effects. some things are chrooted, others not. is one of the developers able to answer this question?

    mephisto23
    08/28/09 06:38:15 (2 years ago)
  • Message #4

    I use a program called  mini_sendmail inside the chroot so that mail() works (and other stuff that tries to run /usr/sbin/sendmail).

    As for some things not being chrooted, all I can think of is stuff that initializes before the chroot() takes place - like how php reads php.ini from outside the chroot, and any libraries it's linked to. Those libraries need to exist outside the chroot or php won't execute. I install them inside the chroot as well, so php still works in cgi mode and from the command line, inside the jail.

    gabriel
    08/28/09 14:28:30 (2 years ago)
    • Message #6

      I think a chroot howto would be great. Someone who have experience with that stuff should write it. Do you wants to do this gabriel? :) Or is there someone else who can do this?

      mephisto23
      08/28/09 15:01:03 (2 years ago)
      • Message #10

        Yeah I could do that :)

        gabriel
        08/28/09 16:30:18 (2 years ago)
    • Message #8

      Gabriel,

      Is this a valid list of issues people are likely to run into when using peruser's chroot:

       http://core.segfault.pl/~hobbit/mod_chroot/caveats.html

      or are things a little different in our implementation?

      Thanks.

      Andrew
      08/28/09 15:10:17 (2 years ago)
      • Message #9

        It looks like that all applies to us - that LoadFile trick is neat, I never thought about that. I provide a full linux environment inside my user's jails, so I've never needed to handle that library issue.

        gabriel
        08/28/09 16:27:37 (2 years ago)
        • Message #22

          I couldn't actually get the LoadFile? thing working with chroot. Mini_sendmail worked fine with the various libraries in the /lib/ directory inside the chroot but not when those same libraries were loaded via the LoadFile? statement in the httpd.conf. A strace showed they were being loaded.

          Anyone else had a play with this and managed to get it to work?

          Andrew
          08/31/09 15:20:11 (2 years ago)
      • Message #16

        of course but i am sure that there will be more. we should collect all problems and write a howto for all the people who use this to minimize the problems people can have with this feature. gabriel, could you please make a basic document with your experience. i will contribute my stuff soon. :)

        mephisto23
        08/29/09 17:01:08 (2 years ago)
  • Message #32

    i try to run a command like "ls /" from a php script inside a jail. the jail was created with jailkit and contain the tool + all required libaries. if i write exec("ls /"); in a php script, it returns nothing. have someone an idea? possibly the processor do not have the path or do not know how to find the executable?

    mephisto23
    10/08/09 03:40:49 (2 years ago)
Tree View Flat View (newer first) Flat View (older first)

Subscriptions