[Fwd: Chroot httpd problem]

Rick Stevens rstevens at vitalstream.com
Tue Mar 8 01:58:33 UTC 2005 

calvin at dslextreme.com wrote:
> I am trying to chroot my httpd and so far has not been successful getting
> the error below when I run it in chroot. I have FC3 and installed httpd,
> mysql during installation. I did lsof -p to find out all the files that
> httpd needed and copied them over the chroot directory. I changed
> user/group to the user/group I want it to run as. The file it is looking
> for are both in the original location and the chroot directory. I followed
> instruction in chrooting httpd from links I found on google.
> 
> Mar  6 02:37:07 www chroot: Syntax error on line 6 of
> /etc/httpd/conf.d/auth_mysql.conf:
> Mar  6 02:37:07 www chroot: Cannot load
> /etc/httpd/modules/mod_auth_mysql.so into server: libmysqlclient.so.10:
> cannot open shared object file: No such file or directory
> 
> 
> Anyone have any idea how I could resolve this problem. I even updated my
> apache to 2.0.52 hoping it might fix it but still get the same error.

Once you chroot to a specific directory, anything above it in the normal
directory tree is unavailable.  That's what "chroot" means..."change
the filesystem root for this process".  If you have a process "chroot" 
to, say /usr/local/apache/htdocs, from that point on the process uses
that directory as "/".  You can't go above it.  You won't have access to
/usr/lib or /lib or any of that since they're above your "root".

The only way to make it work is to create /usr/local/apache/htdocs/lib
and /usr/local/apache/htdocs/usr/lib and copy the files you need to
those directories.  Then when you chroot to /usr/local/apache/htdocs,
you'll have a "/lib" and "/usr/lib" available to you.  This is called
"being in a chroot jail".  It's a big security enhancement, but to make
it all work, you have to understand just what you're doing.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      A day for firm decisions!!!   Well, then again, maybe not!    -
----------------------------------------------------------------------

More information about the fedora-list mailing list