tags 607755 wontfix thanks On Tuesday 21 December 2010, Daniel Hahler wrote: > I want to use suexec-custom for a setup using mod_chroot, and > therefore want/have to use a DocumentRoot of "/" (which is the > root of the chroot). > > Unfortunately there appears to be a bug in > debian/patches/202_suexec-custom.dpatch, function read_line, where > trailing space and slash get removed. > A trainling slash should not get removed here if it is the only > char (and refers to the root directory).
This is not a bug, but intentional (see the suexec man page in the apache2-suexec-custom package). Setting the docroot setting of suexec to / introduces a local privilege escalation vulnerability (at least in a non-chrooted environment). Therefore I will not lift this restriction. However, I do invite you to discuss with me on the debian-apache mailing list how a reasonable chroot setup could look like. The result could then be documented on [1] and maybe be included in README.Debian in a future version. I think for simple setups without cgi/fastcgi/..., the built-in chrootdir directive should simply work (i.e. ChrootDir /var/www). For more complicated setups, it may be better to have something like this: The chroot in e.g. /srv/www, the html data in /srv/www/var/www, the DocumentRoot setting in Apache as /var/www. The real /var/www outside the chroot then must be a symlink to /srv/www/var/www. With such a setup, you can copy stuff into the chroot in a way that all paths are identical inside and outside of the chroot. If your webapp has some configuration data e.g. in /etc/webapp, make that a symlink to /srv/www/etc/webapp and put the files there. Does this sound like it could work for you? [1] http://wiki.debian.org/Apache/Hardening -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
