[1964] in WWW Security List Archive
Re: chroot-ed httpd
daemon@ATHENA.MIT.EDU (Scott Barman)
Thu May 2 17:35:37 1996
Date: Thu, 2 May 1996 15:05:51 -0400 (EDT)
From: Scott Barman <scott@di2.disclosure.com>
To: tauzell@math.umn.edu
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199605012133.QAA18177@aspen.math.umn.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 1 May 1996 tauzell@math.umn.edu wrote:
>
> We run NCSA httpd chrooted on our server. The main reason was so
> that students could write CGI programs. How much extra security it
> gives us is hard to say, but it can't hurt. I am now trying to
> install NCSA httpd 1.5.1 on Solaris and run it chrooted, but am having
> problems. Anyone out there done this? Specifically , it can't create
> sockets for the children.
Under Solaris you'll need a few more items in your chroot'ed area than
under "normal" operating systems. In addition to the shared libraries
(because it is difficult to compile staticly linked binaries under
Solaris), you'll need to create the following:
mknod $CHROOT/dev/ip c 11 3
mknod $CHROOT/dev/tcp c 11 42
mknod $CHROOT/dev/ticotsord c 105 1
mknod $CHROOT/dev/udp c 11 41
mknod $CHROOT/dev/zero c 13 12
Where CHROOT is set to your change rooted area. All of the above are
needed for the networking except /dev/zero, which the dynamic loader
uses. Before you cut and paste this, make sure the major/minor numbers
are correct for your system. Remember to do an 'ls -lL' for each device
as Solaris now makes those symbolic links to /devices (messy!!).
Also, make sure you have the following under $CHROOT/usr/lib:
ld.so libintl.so libw.so nss_nisplus.so.1
ld.so.1 libintl.so.1 libw.so.1 straddr.so
libc.so libnsl.so nss_compat.so.1 straddr.so.2
libc.so.1 libnsl.so.1 nss_dns.so.1
libdl.so libsocket.so nss_files.so.1
libdl.so.1 libsocket.so.1 nss_nis.so.1
And make sure they'er readable and executable for everyone (don't make
them writable!).
Finally, make sure you have $CHROOT/etc/netconfig readable by all,
which should be nothing more than a copy of /etc/netconfig.
I am taking this from my ftp setup. I remember going balder when I had
to move it from a system running SunOS to Solaris. It gave me heartburn
thinking "is this the future?" No, I am not a fan of Solaris! (flames
from sun.com welcome!!)
Good luck!
scott barman
--
scott barman DISCLAIMER: I speak to anyone who will listen,
scott@disclosure.com and I speak only for myself.
barman@ix.netcom.com
"... [witness for the defense Dan] Olsen [of BYU] testified that, because the
government was involved in the initial development of the Internet, he
believes that the government has a role in determining appropriate technical
standards for content labeling." (Dr. Olsen must not have read "1984" -sb)
- quoted from Citizens Internet Empowerment Coalition Trial Update No. 9
Re: ACLU, et. al. v. Reno on the constitutionality of the CDA
