Bug #1792
closedvirtual hosts and chroot security flaw
Description
Hi,
I use lighttpd in a chroot jail for security reason
until today I had only one server running into /srv/httpd jail directory
this server run a CGI C++ program to create content.
today I had to setup 2 virtual hosts, let says host1.org and host2.org
so what I wanted to do is to set a server.chroot option in each virtual host section... this totaly broke the server that endend chrooted in the last server.chroot option (ie the last vhost)
right now I fixed this by using a server.chroot=/srv/httpd and different document roots...
however since I use a cgi program this program can access to other virtual hosts documents.... which I don't want...
I would like to be able to specify a chroot for each virtual host, how can I do that?
thanks
JLM
-- jeanluc.malet
Updated by stbuehler about 16 years ago
- Status changed from New to Fixed
- Resolution set to invalid
- this is a bug tracker, not a support forum
- one process can only have one chroot
Updated by hoffie about 16 years ago
--- too slow ---
You cannot do that. Lighttpd is a single-process web server, and a process only has one root (i.e. calling chroot() will affect the whole process). This is nothing which lighttpd can influence, it's a design "limitation" (or rather decision) in unix-like systems.
If you really need privilege seperation on the web server level, use multiple lighttpd instances. If you need it on the dynamic (i.e. *CGI) level only, you can use techniques like switchboard or hack up a custom spawn-fcgi-based script.
All in all, this is not a lighttpd issue.
Also available in: Atom