| View previous topic :: View next topic |
| Author |
Message |
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
 Posted: Tue Mar 01, 2005 1:29 am Post subject: Apache2 and jailed users |
 |
|
Hi everybody!
Have a quizz for ya'll 
I have got apache2 outside of a jail (chrooted env), in the main system that is.
all users are jailed to /home/jail ( with ofcourse their home dirs ex /home/jail/home/USER )
I can't seem to get apache to point to their
/home/jail/home/*/public_html
rechecked all perms, still get access denied, i have tried vhosts, i have tried changeing apache main conf (the /home/*/public_html)
i have tried symlinking in both directions, still problems.
Now, any solutions, or do i REALLY have to jail apache, the hole point is that the aren't supposed to be able to reach apache ofcouse or anyother
vital component. So whats the deal if i chroot everything(apache2,mysql etc) to /home/jail. if they hack the jail, then they will bring down apache.
I just want the suckers to create their own homepages in their public_html.
Please, give me some ideas here.
-- Lucas |
|
| Back to top |
|
 |
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
| Posted: Tue Mar 01, 2005 5:51 pm Post subject: Guru |
|
|
| no gurus around heh? |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 5:57 pm Post subject: |
|
|
| Post your Apache configuration - relevant parts only, comments stripped... |
|
| Back to top |
|
|
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
| Posted: Tue Mar 01, 2005 6:23 pm Post subject: Zup! |
|
|
How do i know whats relevant or not when i dont know what the prob is, since every other dir i point userhomes public_html i alright
even /tmp/public_html 
Anyway, heres the HUGE commonapache.conf
| Code: | User apache
Group apache
ServerAdmin root@localhost
#DocumentRoot /var/www/localhost/htdocs
<Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.html index.html.var index.php index.php3 index.shtml index.cgi index.pl index.htm Default.htm default.htm
</IfModule>
AccessFileName .htaccess
<IfModule mod_access.c>
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
</IfModule>
UseCanonicalName On
<IfModule mod_mime.c>
TypesConfig conf/mime.types
</IfModule>
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
EnableMMAP on
<IfModule mod_log_config.c>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost
<IfModule mod_logio.c>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
ServerTokens Full
ServerSignature On
<IfModule mod_alias.c>
Alias /tinki /home/giota/public_html/tinki
ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/
ScriptAlias /protected-cgi-bin/ /var/www/localhost/protected-cgi-bin/
ScriptAliasMatch ^/~([^/]*)/cgi-bin/(.*) /home/$1/public_html/cgi-bin/$2
<IfModule mod_perl.c>
#Provide two aliases to the same cgi-bin directory,
#to see the effects of the 2 different mod_perl modes
#for Apache::Registry Mode
Alias /perl/ /var/www/localhost/perl/
#for Apache::Perlrun Mode
Alias /cgi-perl/ /var/www/localhost/perl/
</IfModule>
</IfModule>
<IfModule mod_autoindex.c>
IndexOptions FancyIndexing VersionSort NameWidth=*
AddIconByEncoding (CMP,/icons/compressed.png) x-compress x-gzip
AddIconByType (TXT,/icons/text.png) text/*
AddIconByType (IMG,/icons/image2.png) image/*
AddIconByType (SND,/icons/sound2.png) audio/*
AddIconByType (VID,/icons/movie.png) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip .bz2
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py .php .php3
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* RCS CVS *,v *,t
</IfModule>
<IfModule mod_mime.c>
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage ca .ca
AddLanguage cz .cz
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage es .es
AddLanguage et .ee
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage kr .kr
AddLanguage ltz .ltz
AddLanguage ltz .lu
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt-br .pt-br
AddLanguage pt .pt
AddLanguage ru .ru
AddLanguage sv .se
AddLanguage tw .tw
AddLanguage zh-tw .tw
AddDefaultCharset ISO-8859-1
<IfModule mod_negotiation.c>
LanguagePriority en fr de es it da nl et el ja kr no pl pt pt-br ru ltz ca sv tw
</IfModule>
<IfModule mod_negotiation.c>
ForceLanguagePriority Prefer Fallback
</IfModule>
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
AddType application/x-tar .tgz
AddType image/x-icon .ico
AddHandler cgi-script .cgi
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddHandler imap-file map
</IfModule>
# End of document types.
# Alias /error/ "/var/www/localhost/error/"
#
# <Directory "/var/www/localhost/error">
# AllowOverride None
# Options IncludesNoExec
# AddOutputFilter Includes html
# AddHandler type-map var
# Order allow,deny
# Allow from all
# LanguagePriority en es de fr sv
# ForceLanguagePriority Prefer Fallback
# </Directory>
#
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
#ErrorDocument 500 "The server made a boo boo."
<Location /manual>
Options Multiviews
ErrorDocument 404 "The document you requested has not been installed on your system."
</Location>
<IfModule mod_setenvif.c>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS" redirect-carefully
</IfModule>
<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
<IfModule mod_access.c>
Order deny,allow
Deny from all
allow from 127.0.0.1
#Allow from .your_domain.com
</IfModule>
</Location>
</IfModule>
<IfModule mod_info.c>
<Location /server-info>
SetHandler server-info
<IfModule mod_access.c>
Order deny,allow
Deny from all
allow from 127.0.0.1
#Allow from .your_domain.com
</IfModule>
</Location>
</IfModule>
<IfModule mod_perl.c>
<Location /perl-status>
SetHandler perl-script
<IfDefine MODPERL2>
PerlResponseHandler Apache::Status
</IfDefine>
<IfDefine !MODPERL2>
PerlResponseHandler ModPerl::Status
</IfDefine>
<IfModule mod_access.c>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</IfModule>
</Location>
</IfModule>
<IfModule mod_include.c>
# XBitHack on
</IfModule>
<IfModule mod_deflate.c>
<Directory "/var/www/localhost/htdocs/manual">
AddOutputFilterByType DEFLATE text/html
</Directory>
</IfModule>
<Directory /var/www/localhost/htdocs>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
<Directory /var/www/localhost/perl>
AllowOverride All
Options -Indexes FollowSymLinks MultiViews ExecCGI
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
<IfModule mod_cgid.c>
# Scriptsock /cgisock
</IfModule>
<Directory /var/www/localhost/cgi-bin>
AllowOverride All
Options ExecCGI
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
<Directory /var/www/localhost/protected-cgi-bin>
AllowOverride All
Options ExecCGI
<IfModule mod_access.c>
Order deny,allow
Deny from all
Allow from 127.0.0.1
#allow from .your_domain.com
</IfModule>
</Directory>
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS PROPFIND>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS PROPFIND>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>
###
### These settings are pretty flexible, and allow for Frontpage and XSSI
###
<Directory /home/jail/home*/public_html>
AllowOverride All
Options MultiViews -Indexes Includes FollowSymLinks
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
<Directory /home/jail/home/*/public_html/cgi-bin>
Options +ExecCGI -Includes -Indexes
SetHandler cgi-script
</Directory>
<IfModule mod_perl.c>
<Directory /home/jail/home/*/public_html/perl>
SetHandler perl-script
PerlResponseHandler ModPerl::PerlRun
Options -Indexes ExecCGI
<IfDefine MODPERL2>
PerlOptions +ParseHeaders
</IfDefine>
<IfDefine !MODPERL2>
PerlSendHeader On
</IfDefine>
</Directory>
</IfModule>
<Directory /var/www/localhost/icons>
Options -Indexes MultiViews
AllowOverride None
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
<Directory /usr/share/doc>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html
</IfModule>
Options Indexes FollowSymLinks
<IfModule mod_access.c>
Order deny,allow
Deny from all
Allow from 127.0.0.1
#allow from .your_domain.com
</IfModule>
</Directory>
<Location /index.shtml>
Options +Includes
</Location>
<IfModule mod_perl.c>
PerlModule Apache2::ModPerl::Registry
<Location "^/perl/*.pl>
SetHandler perl-script
<IfDefine MODPERL2>
PerlResponseHandler Apache2::ModPerl::Registry
</IfDefine>
<IfDefine !MODPERL2>
PerlResponseHandler ModPerl::Registry
</IfDefine>
Options -Indexes ExecCGI
PerlSendHeader On
</Location>
<Location /cgi-perl/*.pl>
SetHandler perl-script
PerlResponseHandler ModPerl::PerlRun
Options -Indexes ExecCGI
PerlSendHeader On
</Location>
</IfModule>
<IfModule mod_alias.c>
AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/var/www/localhost/htdocs/manual/$1"
</IfModule>
<Directory "/var/www/localhost/htdocs/manual">
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
<Files *.html>
SetHandler type-map
</Files>
SetEnvIf Request_URI ^/manual/de/ prefer-language=de
SetEnvIf Request_URI ^/manual/en/ prefer-language=en
SetEnvIf Request_URI ^/manual/fr/ prefer-language=fr
SetEnvIf Request_URI ^/manual/ja/ prefer-language=ja
SetEnvIf Request_URI ^/manual/ko/ prefer-language=ko
SetEnvIf Request_URI ^/manual/ru/ prefer-language=ru
RedirectMatch 301 ^/manual(?:/(de|en|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2
</Directory>
|
Commented as much irrelevant stuff ap.
Hope you can give me some hints, or @least something.
Ever got it to work yourself?
-- Lucas |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 6:30 pm Post subject: |
|
|
Just a quick glance - this does not seem correct.
| Code: |
<Directory /home/jail/home*/public_html>
|
|
|
| Back to top |
|
|
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
| Posted: Tue Mar 01, 2005 6:31 pm Post subject: Typo |
|
|
sorry for the typo in the config above, since i had to do some editing. there is a /home/jail/home/*/ instead of the typ ofcouse.
Alot of editing to do |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 6:33 pm Post subject: |
|
|
| Also, I cannot see DocumentRoot set anywhere... |
|
| Back to top |
|
|
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
| Posted: Tue Mar 01, 2005 6:37 pm Post subject: DocumentRoot set is there! |
|
|
DocumentRoot is almost the first thing in the config
Topline Thou IRL (my server) its not commented
It works if i "ln -s /home/jail/home/JAILEDUSER/public_html /var/www/localhost/htdocs
and do a
http://myserver/public_html
For example that is...
-- lucas |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 6:50 pm Post subject: Re: DocumentRoot set is there! |
|
|
| Acidgen wrote: | DocumentRoot is almost the first thing in the config
Topline Thou IRL (my server) its not commented
|
Please we cannot help you like this. Remove the typos or better paste it as-it-is, I am just wasting my time.  Two errors found, two cut´n´paste typos you say.
| Acidgen wrote: |
It works if i "ln -s /home/jail/home/JAILEDUSER/public_html /var/www/localhost/htdocs
|
That means that you have DocumentRoot (re)defined in another configuration file. |
|
| Back to top |
|
|
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
| Posted: Tue Mar 01, 2005 7:20 pm Post subject: Found it |
|
|
Problem solved.
Not in apache config, thou in the users $homedir pointing to /home/jail in the jailed env.
--Lucas |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 7:45 pm Post subject: Re: Found it |
|
|
| Acidgen wrote: | Problem solved.
Not in apache config, thou in the users $homedir pointing to /home/jail in the jailed env.
|
Could you clarify this? It does not make sense, you said
| Acidgen wrote: |
I have got apache2 outside of a jail
|
in your first post. So are you saying that Apache wants the chrooted paths, not normal ones?   |
|
| Back to top |
|
|
Acidgen
n00b
Joined: 01 Mar 2005
Posts: 12
|
| Posted: Wed Mar 02, 2005 12:52 am Post subject: |
|
|
The thing is;
I want my services in the main system outside of the chroot jail.
and users can put webpages in their /var/chroot/home/USER/public_html
and it will be displayed by Apache2 (apache2 binarys which reside outside of the jail) so;
instead of /home/*/public_html as in normal cases, it uses the /var/chroot/home/*/public_html.
Users are locked out and cannot touch or see the apache conf nor anything that has to do with a webserver.
Still one problem thou, apache works fine.
BUT i also have vsftp outside of the jail, and i want vsftp to keep them in their chrooted-home dir. but vsftp uses the /etc/passwd file
for pointing to the users homedir, wich in this case is handled by /usr/sbin/jail program and a bogus home. Ill show you
| Code: | | todde:x:1003:100::/var/jail/users:/usr/bin/jail |
(BOGUS HOME) (JAIL PRG)
As above taken from the passwd you c that i have a chroot jail in /var/jail/users
which also happens to be user "todde"'s home dir. the "REAL" home is handled by /usr/bin/jail which reads the
/var/jail/users/etc/passwd, where the real userhome is pointed.
Then you say... why dont you change YOUR passwd so that it instead of
| Code: | | todde:x:1003:100::/var/jail/users:/usr/bin/jail |
uses
| Code: | | todde:x:1003:100::/var/jail/users/home/todde:/usr/bin/jail |
Well THEN when the users tried to connect , it says that;
| Code: | | jail: chrooted directory /var/jail/users/home/user3 is not configuredfor jail (bad passwd file); bailing out. |
I hope you can understand, and that its not all that cryptic
-- Lucas |
|
| Back to top |
|
|
|
Networking & Security
