Project

General

Profile

Bug #1792

virtual hosts and chroot security flaw

Added by Anonymous almost 11 years ago. Updated almost 11 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Hi,
I use lighttpd in a chroot jail for security reason
until today I had only one server running into /srv/httpd jail directory
this server run a CGI C++ program to create content.

today I had to setup 2 virtual hosts, let says host1.org and host2.org
so what I wanted to do is to set a server.chroot option in each virtual host section... this totaly broke the server that endend chrooted in the last server.chroot option (ie the last vhost)

right now I fixed this by using a server.chroot=/srv/httpd and different document roots...

however since I use a cgi program this program can access to other virtual hosts documents.... which I don't want...

I would like to be able to specify a chroot for each virtual host, how can I do that?

thanks
JLM

-- jeanluc.malet

History

#1

Updated by stbuehler almost 11 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid
  1. this is a bug tracker, not a support forum
  2. one process can only have one chroot
#2

Updated by hoffie almost 11 years ago

--- too slow ---

You cannot do that. Lighttpd is a single-process web server, and a process only has one root (i.e. calling chroot() will affect the whole process). This is nothing which lighttpd can influence, it's a design "limitation" (or rather decision) in unix-like systems.

If you really need privilege seperation on the web server level, use multiple lighttpd instances. If you need it on the dynamic (i.e. *CGI) level only, you can use techniques like switchboard or hack up a custom spawn-fcgi-based script.

All in all, this is not a lighttpd issue.

#3

Updated by stbuehler almost 11 years ago

  • Status changed from Fixed to Invalid

Also available in: Atom