> I'm trying to jail mediawiki on Linux by using the unshare support in
> uwsgi.
>
> I want to setup the chroot in /srv/mediawiki, which has /app /var /proc
> /dev direcotries. Mediawiki is installed from package in
> /usr/share/webapps/mediawiki, and I try to bind mount that to /app
>
>
> Following are my uwsgi config file and the output of uwsgi when started.
> The second mount in exec-post-jail always fails.
>
>
> [uwsgi]
> # todo user,net
> unshare = mount,uts,ipc,pid
>
> exec-post-jail = mount /usr/share/zoneinfo %d/usr/share/zoneinfo -o
> bind,ro
> exec-post-jail = mount /usr/share/webapps/mediawiki %d/app -o bind,ro
>
> uid=1000
> gid=1000
> chroot = %d
>
> force-cwd = /
> chdir = /
> honour-stdin = true
> drop-after-init = true
>
> plugin = php
> php-set = date.timezone=Europe/Skopje
>
> php-docroot = %d/app
> php-index = index.php
> php-allowed-ext=.php
> php-allowed-ext=.inc
>
> master=true
> processes=4
> cheaper = 1
>
> http = :8989
> http-modifier1 = 14
>
> [uWSGI] getting INI configuration from /srv/mediawiki/uwsgi2.ini
> open("./php_plugin.so"): No such file or directory [core/utils.c line
> 3345]
> !!! UNABLE to load uWSGI plugin: ./php_plugin.so: cannot open shared
> object
> file: No such file or directory !!!
> *** Starting uWSGI 1.9.16-dev-c05e064 (64bit) on [Thu Sep 5 14:34:08
> 2013]
> ***
> compiled with version: 4.8.1 20130725 (prerelease) on 05 September 2013
> 14:04:55
> os: Linux-3.10.10-1-ARCH #1 SMP PREEMPT Fri Aug 30 11:30:06 CEST 2013
> nodename: archless
> machine: x86_64
> clock source: unix
> pcre jit disabled
> detected number of CPU cores: 2
> current working directory: /srv/mediawiki
> detected binary path: /home/damjan/src/uwsgi-git/uwsgi
> your processes number limit is 29076
> your memory page size is 4096 bytes
> detected max file descriptor number: 100000
> lock engine: pthread robust mutexes
> *** RRDtool library available at 0x152bcc0 ***
> uWSGI http bound on :8989 fd 4
> uwsgi socket 0 bound to TCP address 127.0.0.1:47568 (port auto-assigned)
> fd
> 3
> PHP 5.5.3 initialized
> uWSGI running as root, you can use --uid/--gid/--chroot options
> [linux-namespace] applied unshare() mask: 738328576
> running "mount /usr/share/zoneinfo /srv/mediawiki//usr/share/zoneinfo -o
> bind,ro" (post-jail)...
> running "mount /usr/share/webapps/mediawiki /srv/mediawiki//app -o
> bind,ro"
> (post-jail)...
> command "mount /usr/share/webapps/mediawiki /srv/mediawiki//app -o
> bind,ro"
> exited with non-zero code: -1
>
> --
> damjan
> _______________________________________________
> uWSGI mailing list
> [email protected]
> http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
>
The pid namespace is special as it will really start working after a fork().
To avoid messy tricks, uWSGI exposed the --refork option, calling a fork()
soon after failing.
This is not needed if you spawn the instance as a vassal from the emperor
with the new --emperor-use-clone option (check latest changelog).
Take in account i am heavily working on new hooks, documentation is here:
https://github.com/unbit/uwsgi-docs/blob/master/Hooks.rst
(it should be complete in a couple of hours)
Btw a working setup (regarding namespaces + new hooks) is the following:
[uwsgi]
unshare = fs
; make the mount tree unshared (it is needed with systemd)
mount-post-jail = none none / recursive,private
; mount the docroot as /app
mount-post-jail = none /var/www/uwsgi/phproot /app bind
; prepare for pivot_root
if-not-exists = /var/www/uwsgi/phproot/.old_root
exec-post-jail = mkdir /app/.old_root
endif =
; change the root filesystem (pivot_root is a smarter chroot)
pivot-root = /app /app/.old_root
; mount proc
mount-as-root = proc none /proc
; unmount the old tree
umount-as-root = /.old_root recursive
The problem with your setup is that you do not have the mount command
after the chroot. Using the mount hooks the problem is solved
If you are interested, the "advanced hooks mode" is:
[uwsgi]
unshare = fs
; make the mount tree unshared (it is needed with systemd)
hook-post-jail = mount:none none / recursive,private
hook-post-jail = mount:none /var/www/uwsgi/phproot /app bind
if-not-exists = /var/www/uwsgi/phproot/.old_root
hook-post-jail = exec:mkdir /app/.old_root
endif =
pivot-root = /app /app/.old_root
hook-as-root = mount:proc none /proc
hook-as-root = umount:/.old_root recursive
hook-as-user = print:ciao
--
Roberto De Ioris
http://unbit.it
_______________________________________________
uWSGI mailing list
[email protected]
http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
