1 |
Boa chroot mini-HOWTO |
2 |
=================================================== |
3 |
by Liam Widdowson <lbw@telstra.com> |
4 |
modified slightly by Jon Nelson <jnelson@boa.org> |
5 |
|
6 |
The following is required to get Boa working in a chroot jail. Whilst this |
7 |
README is about Solaris specifically, the principals here will apply to |
8 |
other operating systems. |
9 |
|
10 |
The following assumptions are made: |
11 |
|
12 |
- Boa has been compiled and installed in /opt/boa |
13 |
- The chroot jail will be created in /var/www |
14 |
- A user and group 'www' have been created. |
15 |
|
16 |
Make sure you change the above directories to suit your system. |
17 |
|
18 |
Your boa.conf should look something like the following: |
19 |
|
20 |
## begin config file |
21 |
|
22 |
Port 80 |
23 |
User www |
24 |
Group www |
25 |
|
26 |
# Note, these paths are used releative to the chroot jail. i.e /var/log is |
27 |
# really /var/www/var/log |
28 |
ErrorLog /var/log/error_log |
29 |
AccessLog /var/log/access_log |
30 |
DocumentRoot /var/www |
31 |
|
32 |
# You won't be able to access user home directories outside of the chroot |
33 |
# but you may replicate them into the chroot jail. You'll need a working |
34 |
# and valid /etc/passwd as well |
35 |
UserDir public_html |
36 |
|
37 |
DirectoryIndex index.html |
38 |
|
39 |
# this binary must exist in the chroot jail. Again, the path is relative. |
40 |
DirectoryMaker /usr/bin/boa_indexer |
41 |
|
42 |
KeepAliveMax 1000 |
43 |
KeepAliveTimeout 10 |
44 |
|
45 |
# this file must exist inside AND outside the chroot jail. |
46 |
MimeTypes /opt/boa/mime.types |
47 |
|
48 |
DefaultType text/plain |
49 |
|
50 |
## end config file |
51 |
|
52 |
Once the configuration file is created, you must begin creating your |
53 |
chroot jail. A variety of libraries, timezone files, device files and other |
54 |
bits and pieces must be copied in order for this to work. Below is a ls -lR |
55 |
of what your jail should be at a minimum: |
56 |
|
57 |
.: |
58 |
total 10 |
59 |
drwxr-xr-x 2 root other 512 Jan 21 18:58 dev |
60 |
drwxr-xr-x 2 root other 512 Jan 21 19:20 etc |
61 |
drwxr-xr-x 3 root other 512 Jan 21 19:20 opt |
62 |
drwxr-xr-x 5 root other 512 Jan 21 19:08 usr |
63 |
drwxr-xr-x 4 root other 512 Jan 21 18:57 var |
64 |
|
65 |
./dev: |
66 |
total 0 |
67 |
crw-rw-rw- 1 root other 13, 2 Jan 21 18:58 null |
68 |
crw-rw-rw- 1 root other 41, 0 Jan 21 18:58 udp |
69 |
|
70 |
./etc: |
71 |
total 16 |
72 |
-r-xr-xr-x 1 root other 482 Jan 21 19:20 TIMEZONE |
73 |
-r--r--r-- 1 root other 74 Jan 21 19:20 hosts |
74 |
-rw-r--r-- 1 root other 1239 Jan 21 19:20 netconfig |
75 |
-rw-r--r-- 1 root other 1298 Jan 21 19:20 nsswitch.conf |
76 |
-r--r--r-- 1 root other 514 Jan 21 19:44 passwd |
77 |
-rw-r--r-- 1 root other 94 Jan 21 19:20 resolv.conf |
78 |
drwx------ 2 root other 512 Jan 21 19:20 boa |
79 |
|
80 |
./boa: |
81 |
total 4 |
82 |
-rw-r--r-- 1 root other 1234 Jan 21 19:26 boa.conf |
83 |
|
84 |
./opt: |
85 |
total 2 |
86 |
drwxr-xr-x 2 root other 512 Jan 21 19:26 boa |
87 |
|
88 |
./opt/boa: |
89 |
total 20 |
90 |
-rw-r--r-- 1 root other 9964 Jan 21 19:26 mime.types |
91 |
|
92 |
./usr: |
93 |
total 6 |
94 |
drwxr-xr-x 2 root other 512 Jan 21 19:21 bin |
95 |
drwxr-xr-x 2 root other 512 Jan 21 19:03 lib |
96 |
drwxr-xr-x 3 root other 512 Jan 21 19:08 share |
97 |
|
98 |
./usr/bin: |
99 |
total 18 |
100 |
-rwxr-xr-x 1 root other 8944 Jan 21 19:23 boa_indexer |
101 |
|
102 |
./usr/lib: |
103 |
total 5094 |
104 |
-rwxr-xr-x 1 root other 185020 Jan 21 19:03 ld.so.1 |
105 |
-rwxr-xr-x 1 root other 1126652 Jan 21 18:56 libc.so.1 |
106 |
-rwxr-xr-x 1 root other 4308 Jan 21 18:56 libdl.so.1 |
107 |
-rwxr-xr-x 1 root other 24968 Jan 21 18:56 libmp.so.2 |
108 |
-rwxr-xr-x 1 root other 883500 Jan 21 18:56 libnsl.so.1 |
109 |
-rwxr-xr-x 1 root other 265860 Jan 21 18:56 libresolv.so.2 |
110 |
-rwxr-xr-x 1 root other 70260 Jan 21 18:56 libsocket.so.1 |
111 |
|
112 |
./usr/share: |
113 |
total 2 |
114 |
drwxr-xr-x 3 root other 512 Jan 21 19:08 lib |
115 |
|
116 |
./usr/share/lib: |
117 |
total 2 |
118 |
drwxr-xr-x 3 root other 512 Jan 21 19:08 zoneinfo |
119 |
|
120 |
./usr/share/lib/zoneinfo: |
121 |
total 2 |
122 |
drwxr-xr-x 2 root other 512 Jan 21 19:09 Australia |
123 |
|
124 |
./usr/share/lib/zoneinfo/Australia: |
125 |
total 22 |
126 |
-rw-r--r-- 1 root other 785 Jan 21 19:09 ACT |
127 |
-rw-r--r-- 1 root other 785 Jan 21 19:09 Broken_Hill |
128 |
-rw-r--r-- 1 root other 663 Jan 21 19:09 LHI |
129 |
-rw-r--r-- 1 root other 785 Jan 21 19:09 NSW |
130 |
-rw-r--r-- 1 root other 104 Jan 21 19:09 North |
131 |
-rw-r--r-- 1 root other 160 Jan 21 19:09 Queensland |
132 |
-rw-r--r-- 1 root other 785 Jan 21 19:09 South |
133 |
-rw-r--r-- 1 root other 825 Jan 21 19:09 Tasmania |
134 |
-rw-r--r-- 1 root other 785 Jan 21 19:09 Victoria |
135 |
-rw-r--r-- 1 root other 150 Jan 21 19:09 West |
136 |
-rw-r--r-- 1 root other 785 Jan 21 19:09 Yancowinna |
137 |
|
138 |
./var: |
139 |
total 4 |
140 |
drwxr-xr-x 2 www www 512 Jan 21 19:44 log |
141 |
drwxr-xr-x 2 root other 512 Jan 21 18:57 www |
142 |
|
143 |
./var/log: |
144 |
total 4 |
145 |
-rw-r--r-- 1 root other 202 Jan 21 19:47 access_log |
146 |
-rw-r--r-- 1 root other 590 Jan 21 19:49 error_log |
147 |
|
148 |
./var/www: |
149 |
total 0 |
150 |
|
151 |
Note, your boa binary should be kept outside of the chroot jail as |
152 |
they are not required. |
153 |
|
154 |
The commandline issued to boa requires "-r /var/www" which tells |
155 |
boa to chroot to /var/www before it does anything else, including |
156 |
reading its configuration file. |
157 |
|
158 |
That's all that's required. Start your new chrooting boa up and enjoy! |