nixCraft

TECK · #1 (**permalink**) 11-01-2007, 03:34 PM

Problem fixed, thanks to the Linux God, Vivek!

Thanks for your help.

nixcraft · #2 (**permalink**) 11-02-2007, 12:23 AM

Did you followed following tutorial?
Lighttpd install perl, mysql support in chrooted jail

Can you tell me your distro name?

TECK · #3 (**permalink**) 11-02-2007, 03:14 AM

Thanks for the reply, Vivek. I run a CentOS 5 box.
The steps listed in the first post are the only ones I performed.
All files/dirs are owned by root:root except the log lighty files (lighttpd:lighttpd).
Selinux is enabled.
PHP and MySQL are on the same partition.

The chrooted phpinfo:
phpinfo()

The "missing" library:

Code:

[root@localhost ~]# locate libmysqlclient.so.15
/srv/usr/lib/mysql/libmysqlclient.so.15
/usr/lib/mysql/libmysqlclient.so.15
/usr/lib/mysql/libmysqlclient.so.15.0.0

My lighty configuration:

Code:

# lighttpd configuration file
#
# use it as a base for lighttpd 1.0.0 and above
#
# $Id: lighttpd.conf,v 1.7 2004/11/03 22:26:05 weigon Exp $

server.modules = (
	"mod_rewrite",
#	"mod_redirect",
#	"mod_alias",
	"mod_access",
#	"mod_cml",
#	"mod_trigger_b4_dl",
#	"mod_auth",
	"mod_status",
#	"mod_setenv",
	"mod_fastcgi",
#	"mod_proxy",
#	"mod_simple_vhost",
#	"mod_evhost",
#	"mod_userdir",
#	"mod_cgi",
#	"mod_compress",
#	"mod_ssi",
#	"mod_usertrack",
#	"mod_expire",
#	"mod_secdownload",
#	"mod_rrdtool",
	"mod_accesslog"
)

server.port					= 80
server.username				= "lighttpd"
server.groupname			= "lighttpd"
server.tag					= "lighttpd"

server.chroot				= "/srv"
server.pid-file				= "/var/run/lighttpd.pid"
server.document-root		= "/var/www/html/"
server.errorlog				= "/var/log/lighttpd/error.log"
accesslog.filename			= "/var/log/lighttpd/access.log"

#server.bind				= "grisu.home.kneschke.de"
#server.error-handler-404	= "/error-handler.html"
#server.error-handler-404	= "/error-handler.php"

index-file.names = (
	"index.php",
	"index.html",
	"index.htm",
	"default.htm"
)

mimetype.assign = (
	".pdf"		=> "application/pdf",
	".sig"		=> "application/pgp-signature",
	".spl"		=> "application/futuresplash",
	".class"	=> "application/octet-stream",
	".ps"		=> "application/postscript",
	".torrent"	=> "application/x-bittorrent",
	".dvi"		=> "application/x-dvi",
	".gz"		=> "application/x-gzip",
	".pac"		=> "application/x-ns-proxy-autoconfig",
	".swf"		=> "application/x-shockwave-flash",
	".tar.gz"	=> "application/x-tgz",
	".tgz"		=> "application/x-tgz",
	".tar"		=> "application/x-tar",
	".zip"		=> "application/zip",
	".mp3"		=> "audio/mpeg",
	".m3u"		=> "audio/x-mpegurl",
	".wma"		=> "audio/x-ms-wma",
	".wax"		=> "audio/x-ms-wax",
	".ogg"		=> "application/ogg",
	".wav"		=> "audio/x-wav",
	".gif"		=> "image/gif",
	".jpg"		=> "image/jpeg",
	".jpeg"		=> "image/jpeg",
	".png"		=> "image/png",
	".xbm"		=> "image/x-xbitmap",
	".xpm"		=> "image/x-xpixmap",
	".xwd"		=> "image/x-xwindowdump",
	".css"		=> "text/css",
	".html"		=> "text/html",
	".htm"		=> "text/html",
	".js"		=> "text/javascript",
	".asc"		=> "text/plain",
	".c"		=> "text/plain",
	".cpp"		=> "text/plain",
	".log"		=> "text/plain",
	".conf"		=> "text/plain",
	".text"		=> "text/plain",
	".txt"		=> "text/plain",
	".dtd"		=> "text/xml",
	".xml"		=> "text/xml",
	".mpeg"		=> "video/mpeg",
	".mpg"		=> "video/mpeg",
	".mov"		=> "video/quicktime",
	".qt"		=> "video/quicktime",
	".avi"		=> "video/x-msvideo",
	".asf"		=> "video/x-ms-asf",
	".asx"		=> "video/x-ms-asf",
	".wmv"		=> "video/x-ms-wmv",
	".bz2"		=> "application/x-bzip",
	".tbz"		=> "application/x-bzip-compressed-tar",
	".tar.bz2"	=> "application/x-bzip-compressed-tar"
)

mimetype.use-xattr			= "enable"
url.access-deny				= ("~", ".inc")

$HTTP["remoteip"] == "127.0.0.0/8" {
	status.status-url		= "/server-status"
}

$HTTP["url"] =~ "\.pdf$" {
	server.range-requests	= "disable"
}

$HTTP["host"] =~ "192.168.1.3" {
	url.rewrite-once = (
		"^/?$"				=> "/wp/index.php",
		"^/wp/(wp-.+)$"		=> "$0",
		"^/wp/xmlrpc.php"	=> "$0",
		"^/wp/sitemap.xml"	=> "$0",
		"^/wp/(.+)/?$"		=> "/wp/index.php/$1"
	)
}

static-file.exclude-extensions	= (".php", ".pl", ".fcgi")

fastcgi.server = (
	".php" => (
		"localhost" => (
			"socket"	=> "/tmp/php-fastcgi.sock",
			"bin-path"	=> "/usr/bin/php-cgi",
			"max-procs"	=> 2,
			"bin-environment" => (
				"PHP_FCGI_CHILDREN"		=> "16",
				"PHP_FCGI_MAX_REQUESTS"	=> "10000"
			),
			"bin-copy-environment"	=> ("PATH", "SHELL", "USER"),
			"broken-scriptfilename"	=> "enable"
		)
	)
)

nixcraft · #4 (**permalink**) 11-02-2007, 11:02 AM

Copy /etc/ld.so* files to chrooted dir:

Code:

cp -avr /etc/ld.so.c* /srv/etc/

Restart lighttpd and test it again. This is what I've in my centos box:

Code:

-rw-r--r-- 1 root root    83 Jul 13 15:52 hosts
-rw-r--r-- 1 root root 44038 Jul 13 16:09 ld.so.cache
-rw-r--r-- 1 root root    28 Jul 13 16:09 ld.so.conf
drwxr-xr-x 2 root root  4096 Jul 10 08:50 ld.so.conf.d
-rw-r--r-- 1 root root  1623 Jul 13 15:52 nsswitch.conf
drwxr-xr-x 2 root root  4096 Jul 13 18:17 php.d
-rw-r--r-- 1 root root 45425 Sep 20 05:52 php.ini
-rw-r--r-- 1 root root    96 Jul 13 15:52 resolv.conf

TECK · #5 (**permalink**) 11-03-2007, 05:16 AM

That did it, thanks a lot Vivek.
Beside your files, I have 2 extra files (localtime and service

.

Should I toss them?

Also, one last thing to solve the puzzle.
I cannot make a hard link to /dev/zero, because we are dealing with different mounts.
How would you create a /srv/dev/zero file in this case?
For the /srv/tmp, I'm going to put this in fstab:

Code:

tmpfs /srv/tmp	tmpfs	nodev,noexec,nosuid,mode=1777	0 0

TECK · #6 (**permalink**) 11-03-2007, 07:57 AM

I still have a problem, Vivek.
For some reason, I get this error:

Code:

2007-11-02 22:25:21: (mod_fastcgi.c.2462) unexpected end-of-file (perhaps the fastcgi process died): pid: 6490 socket: unix:/tmp/php-fastcgi.sock-1 
2007-11-02 22:25:21: (mod_fastcgi.c.3254) response not received, request sent: 1640 on socket: unix:/tmp/php-fastcgi.sock-1 for /forum/login.php , closing connection

Let me disable XCache to see what it happens. I noticed also that if I try to access the XCache admin directory, I get a 500 error page.

Edit: Ya, that is the problem... XCache is freaking out.
Once I disable it, everything is back to normal, the site works perfectly.
Could be because I disabled the /dev/zero, until I get a solution from you?

Code:

;xcache.mmap_path				= "/dev/zero"
xcache.mmap_path				= ""

I need a /srv/dev/zero file, doing a hard link won't help me, since we deal with different partitions.
Help!

nixcraft · #7 (**permalink**) 11-03-2007, 02:29 PM

I don't use xcache, I'm using zend optimizer

Back to topic, create node with

Code:

mkdir /srv/dev
mknod -m 666 /srv/dev/zero c 1 5

Test it out, also copy all shared libs used by xcache. Remember error 500 means /dev/files and shared libs missing.

TECK · #8 (**permalink**) 11-04-2007, 09:35 AM

Everything is all nice and dandy, Vivek.

Making the node solved the problem.

So far, the only things I still battle with are:

1. Every time I reboot, I have do so a hard link to the /var/lib/mysql/mysql.sock file:

Code:

ln /var/lib/mysql/mysql.sock /srv/var/lib/mysql/mysql.sock

I tried to add it into init.d mysqld start() function, but this is a very cheap method, and it does not work. Do you have an elegant solution for me?

Other then that, everything works 100%.
If you could help me with the last problem, it will be really appreciated.

TECK · #9 (**permalink**) 11-04-2007, 09:41 AM

I forgot to mention one thing. I chattr'ed the key files in /srv/etc directory.
My group file looks like:

Code:

root:x:0:root
mysql:x:27:
lighttpd:x:101:

and my passwd file is:

Code:

root:x:0:0:root:/root:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
lighttpd:x:100:101:Web Server:/var/www:/sbin/nologin

I have the /srv/var/lib/mysql directory chowned by mysql.
As you noticed, I don't use the default RPM's, I built my own, with custom directories/locations, so is less predictable for hackers go gain access to key areas.

rockdalinux · #10 (**permalink**) 11-12-2007, 07:11 PM

Quote:

Originally Posted by TECK

Code:

ln /var/lib/mysql/mysql.sock /srv/var/lib/mysql/mysql.sock

I tried to add it into init.d mysqld start() function, but this is a very cheap method, and it does not work. Do you have an elegant solution for me?

Add ln command to /etc/rc.local file, make sure mysql get started before /etc/rc.local

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Issue related to shells	vaibhav.kanchan	Getting started tutorials	4	03-25-2008 12:52 AM
Minisendmail chroot	get.the.MaX	Web servers	2	01-17-2008 11:58 PM
How t o configure vsftpd to chroot virtual users	rockdalinux	Getting started tutorials	0	06-19-2007 05:47 PM
Ubuntu: Issue accessing any System applications	hightech	Linux software	4	01-29-2007 09:56 AM
Log Off Issue	tkinsella	Linux software	1	08-30-2005 03:03 PM

nixCraft

lighty: mysql issue when chroot enabled

lighty: mysql issue when chroot enabled

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads