159 lines
5.0 KiB
Plaintext
159 lines
5.0 KiB
Plaintext
|
Boa chroot mini-HOWTO
|
||
|
|
===================================================
|
||
|
|
by Liam Widdowson <lbw@telstra.com>
|
||
|
|
modified slightly by Jon Nelson <jnelson@boa.org>
|
||
|
|
|
||
|
|
The following is required to get Boa working in a chroot jail. Whilst this
|
||
|
|
README is about Solaris specifically, the principals here will apply to
|
||
|
|
other operating systems.
|
||
|
|
|
||
|
|
The following assumptions are made:
|
||
|
|
|
||
|
|
- Boa has been compiled and installed in /opt/boa
|
||
|
|
- The chroot jail will be created in /var/www
|
||
|
|
- A user and group 'www' have been created.
|
||
|
|
|
||
|
|
Make sure you change the above directories to suit your system.
|
||
|
|
|
||
|
|
Your boa.conf should look something like the following:
|
||
|
|
|
||
|
|
## begin config file
|
||
|
|
|
||
|
|
Port 80
|
||
|
|
User www
|
||
|
|
Group www
|
||
|
|
|
||
|
|
# Note, these paths are used releative to the chroot jail. i.e /var/log is
|
||
|
|
# really /var/www/var/log
|
||
|
|
ErrorLog /var/log/error_log
|
||
|
|
AccessLog /var/log/access_log
|
||
|
|
DocumentRoot /var/www
|
||
|
|
|
||
|
|
# You won't be able to access user home directories outside of the chroot
|
||
|
|
# but you may replicate them into the chroot jail. You'll need a working
|
||
|
|
# and valid /etc/passwd as well
|
||
|
|
UserDir public_html
|
||
|
|
|
||
|
|
DirectoryIndex index.html
|
||
|
|
|
||
|
|
# this binary must exist in the chroot jail. Again, the path is relative.
|
||
|
|
DirectoryMaker /usr/bin/boa_indexer
|
||
|
|
|
||
|
|
KeepAliveMax 1000
|
||
|
|
KeepAliveTimeout 10
|
||
|
|
|
||
|
|
# this file must exist inside AND outside the chroot jail.
|
||
|
|
MimeTypes /opt/boa/mime.types
|
||
|
|
|
||
|
|
DefaultType text/plain
|
||
|
|
|
||
|
|
## end config file
|
||
|
|
|
||
|
|
Once the configuration file is created, you must begin creating your
|
||
|
|
chroot jail. A variety of libraries, timezone files, device files and other
|
||
|
|
bits and pieces must be copied in order for this to work. Below is a ls -lR
|
||
|
|
of what your jail should be at a minimum:
|
||
|
|
|
||
|
|
.:
|
||
|
|
total 10
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 18:58 dev
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 19:20 etc
|
||
|
|
drwxr-xr-x 3 root other 512 Jan 21 19:20 opt
|
||
|
|
drwxr-xr-x 5 root other 512 Jan 21 19:08 usr
|
||
|
|
drwxr-xr-x 4 root other 512 Jan 21 18:57 var
|
||
|
|
|
||
|
|
./dev:
|
||
|
|
total 0
|
||
|
|
crw-rw-rw- 1 root other 13, 2 Jan 21 18:58 null
|
||
|
|
crw-rw-rw- 1 root other 41, 0 Jan 21 18:58 udp
|
||
|
|
|
||
|
|
./etc:
|
||
|
|
total 16
|
||
|
|
-r-xr-xr-x 1 root other 482 Jan 21 19:20 TIMEZONE
|
||
|
|
-r--r--r-- 1 root other 74 Jan 21 19:20 hosts
|
||
|
|
-rw-r--r-- 1 root other 1239 Jan 21 19:20 netconfig
|
||
|
|
-rw-r--r-- 1 root other 1298 Jan 21 19:20 nsswitch.conf
|
||
|
|
-r--r--r-- 1 root other 514 Jan 21 19:44 passwd
|
||
|
|
-rw-r--r-- 1 root other 94 Jan 21 19:20 resolv.conf
|
||
|
|
drwx------ 2 root other 512 Jan 21 19:20 boa
|
||
|
|
|
||
|
|
./boa:
|
||
|
|
total 4
|
||
|
|
-rw-r--r-- 1 root other 1234 Jan 21 19:26 boa.conf
|
||
|
|
|
||
|
|
./opt:
|
||
|
|
total 2
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 19:26 boa
|
||
|
|
|
||
|
|
./opt/boa:
|
||
|
|
total 20
|
||
|
|
-rw-r--r-- 1 root other 9964 Jan 21 19:26 mime.types
|
||
|
|
|
||
|
|
./usr:
|
||
|
|
total 6
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 19:21 bin
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 19:03 lib
|
||
|
|
drwxr-xr-x 3 root other 512 Jan 21 19:08 share
|
||
|
|
|
||
|
|
./usr/bin:
|
||
|
|
total 18
|
||
|
|
-rwxr-xr-x 1 root other 8944 Jan 21 19:23 boa_indexer
|
||
|
|
|
||
|
|
./usr/lib:
|
||
|
|
total 5094
|
||
|
|
-rwxr-xr-x 1 root other 185020 Jan 21 19:03 ld.so.1
|
||
|
|
-rwxr-xr-x 1 root other 1126652 Jan 21 18:56 libc.so.1
|
||
|
|
-rwxr-xr-x 1 root other 4308 Jan 21 18:56 libdl.so.1
|
||
|
|
-rwxr-xr-x 1 root other 24968 Jan 21 18:56 libmp.so.2
|
||
|
|
-rwxr-xr-x 1 root other 883500 Jan 21 18:56 libnsl.so.1
|
||
|
|
-rwxr-xr-x 1 root other 265860 Jan 21 18:56 libresolv.so.2
|
||
|
|
-rwxr-xr-x 1 root other 70260 Jan 21 18:56 libsocket.so.1
|
||
|
|
|
||
|
|
./usr/share:
|
||
|
|
total 2
|
||
|
|
drwxr-xr-x 3 root other 512 Jan 21 19:08 lib
|
||
|
|
|
||
|
|
./usr/share/lib:
|
||
|
|
total 2
|
||
|
|
drwxr-xr-x 3 root other 512 Jan 21 19:08 zoneinfo
|
||
|
|
|
||
|
|
./usr/share/lib/zoneinfo:
|
||
|
|
total 2
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 19:09 Australia
|
||
|
|
|
||
|
|
./usr/share/lib/zoneinfo/Australia:
|
||
|
|
total 22
|
||
|
|
-rw-r--r-- 1 root other 785 Jan 21 19:09 ACT
|
||
|
|
-rw-r--r-- 1 root other 785 Jan 21 19:09 Broken_Hill
|
||
|
|
-rw-r--r-- 1 root other 663 Jan 21 19:09 LHI
|
||
|
|
-rw-r--r-- 1 root other 785 Jan 21 19:09 NSW
|
||
|
|
-rw-r--r-- 1 root other 104 Jan 21 19:09 North
|
||
|
|
-rw-r--r-- 1 root other 160 Jan 21 19:09 Queensland
|
||
|
|
-rw-r--r-- 1 root other 785 Jan 21 19:09 South
|
||
|
|
-rw-r--r-- 1 root other 825 Jan 21 19:09 Tasmania
|
||
|
|
-rw-r--r-- 1 root other 785 Jan 21 19:09 Victoria
|
||
|
|
-rw-r--r-- 1 root other 150 Jan 21 19:09 West
|
||
|
|
-rw-r--r-- 1 root other 785 Jan 21 19:09 Yancowinna
|
||
|
|
|
||
|
|
./var:
|
||
|
|
total 4
|
||
|
|
drwxr-xr-x 2 www www 512 Jan 21 19:44 log
|
||
|
|
drwxr-xr-x 2 root other 512 Jan 21 18:57 www
|
||
|
|
|
||
|
|
./var/log:
|
||
|
|
total 4
|
||
|
|
-rw-r--r-- 1 root other 202 Jan 21 19:47 access_log
|
||
|
|
-rw-r--r-- 1 root other 590 Jan 21 19:49 error_log
|
||
|
|
|
||
|
|
./var/www:
|
||
|
|
total 0
|
||
|
|
|
||
|
|
Note, your boa binary should be kept outside of the chroot jail as
|
||
|
|
they are not required.
|
||
|
|
|
||
|
|
The commandline issued to boa requires "-r /var/www" which tells
|
||
|
|
boa to chroot to /var/www before it does anything else, including
|
||
|
|
reading its configuration file.
|
||
|
|
|
||
|
|
That's all that's required. Start your new chrooting boa up and enjoy!
|