DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th June 2008
superslot superslot is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default apache 2.2.8 , is it on chroot by default?

Hi,

I've just started with openbsd ....
I've seen that the default httpd is chrooted, but I need Apache 2.2.

So installed the pkg ... I see it running a s _apache2 user ... but I didn't understood if actually is under chroot or not.

Do we have to chroot it manually?.

I guess is the same for the mysql pkg right??

thanks
Reply With Quote
  #2   (View Single Post)  
Old 29th June 2008
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by superslot View Post
Hi,

I've just started with openbsd ....
I've seen that the default httpd is chrooted, but I need Apache 2.2.

So installed the pkg ... I see it running a s _apache2 user ... but I didn't understood if actually is under chroot or not.

Do we have to chroot it manually?.

I guess is the same for the mysql pkg right??

thanks
Of course you have to do it manually. Most OpenBSD users who use Apache
use the 1.3 which is in base (it is chrooted) and for all practical purposes a secure fork of Apache 1.3 server. Apache 2.2 has license problems and my understanding that OpenBSD people do not like it very much but if you have to use some of the new fancy features which Apache 1.3 doesn't have than you have to do what you have to do.
Reply With Quote
  #3   (View Single Post)  
Old 29th June 2008
superslot superslot is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

mmm I see.

well ... I need load balancing on mongrel (rails) .... I don't see a way to get it with apache 1.3, right?

May I ask if also mysql must be chrooted?
looks like mysql_safe does already some fix (and I did a safe_install removing test etc. etc.)
Reply With Quote
  #4   (View Single Post)  
Old 29th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The package message for apache-httpd-2.2.8 says:
Quote:
This package provides an unaudited version of apache. For security
reasons, users are STRONGLY encouraged to use the system httpd(8)
instead, if at all possible.
If you must use this unaudited port, you will be responsible for setting up a chrooted environment, if you wish to do so.

Your SQL client libraries, and any other executable code required with your webserver, must be available in your chrooted environment. See FAQ 10.16 for guidance.

Your SQL server, if connected via TCP, need not be chrooted, nor even on the same server.
Reply With Quote
  #5   (View Single Post)  
Old 29th June 2008
superslot superslot is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

I'm sorry ... I need a little help on this one....

I've done my chroot dir in /var/chroot/http.

Copy all the lib, config files, dev/log dev/null etc. etc. but my http2 won't start ... the error_log says

[crit] (6)Device not configured: apr_proc_detach failed

I'm trying to understand what's going on doing a ktrace/kdump, grepping on open ... but in my dump I don't get any symbols ... just hex addrs like

... open(oxcfbc2,0,0)

Any idea on how to get a dump with simbols?
Do I need to re-compile http2?

Thanks
Reply With Quote
  #6   (View Single Post)  
Old 30th June 2008
superslot superslot is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

nevermind ... it's something else....
I was grepping for "open" instead of NAM|open ...

anyhow ... it's a wird failure, the last line of the kdump is a sigprocmask and then a exit(0).

should be some device ... but I made the /dev/null, /dev/random, /dev/urandom into the chroot directory...

:-((
Reply With Quote
  #7   (View Single Post)  
Old 30th June 2008
superslot superslot is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

Ok,

just in case someone can help me ..
the error is apparently due to /dev/crypto.

I made the mknod under /jail/dev/ .... and it's there.

but from kdump it says:

"open -1 errno 6 Device not configured"

.....

totally lost.
Any idea?

Thanks
Reply With Quote
  #8   (View Single Post)  
Old 30th June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

/dev/crypto and /dev/random are related to "hardware" cryptography devices, I have to believe you've configured something incorrectly.
Reply With Quote
  #9   (View Single Post)  
Old 30th June 2008
superslot superslot is offline
Port Guard
 
Join Date: Jun 2008
Posts: 11
Default

well ... yes I guess.

but httpd2 does try to get /dev/crypto from the ktrace .. and also in the apache2 conf there is something about that for SSL (see the last part of http.conf).

I've tried also commenting out the SSL loadmodule ... but still same error 6 device not configured.

oh boy .. looks like I'm not able to get this chroot working for apache2 ...
I'll try to see if using mod_chroot I'm more lucky ...
Reply With Quote
Old 30th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Rather than attempting to build /dev or /usr piecemeal, you could replicate them in their entirety. In this way, you will learn if Apache2 can run chrooted or not.

I have never used the application, but I have noted that grepping for "chroot" in the package documentation and man pages comes up empty.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot web-browsing Oko OpenBSD Security 1 29th December 2008 01:37 PM
Default Apache won't read .css file erehwon OpenBSD General 23 21st September 2008 10:21 PM
Upgrading application not installed in default port directory APACHE ijk FreeBSD Ports and Packages 5 13th July 2008 04:34 PM
chroot/jailing users Weaseal FreeBSD Security 6 18th May 2008 07:44 AM
scponly not working with chroot hamba FreeBSD Security 3 15th May 2008 05:18 PM


All times are GMT. The time now is 04:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick