PHP DNS resolving in chroot-ed environment
in [General]
|
From: Georgi Hristozov on 27 Sep 2010 03:58 Hello, I'm running a Gentoo-hardened box with PHP 5.2.14-pl0-gentoo (Suhosin included) and Apache 2.2.16. mod_php is running in a chroot, using mpm_peruser. Everything works OK, except the PHP DNS resolving, which I need to access HTTP resources. It fails with both the curl and http extensions. With some stracing of the Apache child processes I found that PHP is trying to access the following files: hosts, nsswitch.conf, resolv.conf and the libnss libraries. I've copied them to the chroot, but the resolving still fails. strace showed failed accesses to /dev/urandom and /dev/log, but mounting /dev in the chroot didn't help. My php.ini can be found at [1]. I'm setting the following additional flags in the vhost configuration: engine on open_basedir "/htdocs:/sessions:/tmp" session.save_path "/sessions" upload_tmp_dir "/tmp" Does anybody run similar chroot-ed PHP? Any help will be appreciated! Thanks in advance! [1] http://forkbomb.nl/temp/php.ini
From: Per Jessen on 27 Sep 2010 05:20 Georgi Hristozov wrote: > Hello, >=20 > I'm running a Gentoo-hardened box with PHP 5.2.14-pl0-gentoo (Suhosin= > included) and Apache 2.2.16. mod_php is running in a chroot, using > mpm_peruser. Everything works OK, except the PHP DNS resolving, which= > I need to access HTTP resources. It fails with both the curl and http= > extensions. >=20 > With some stracing of the Apache child processes I found that PHP is > trying to access the following files: hosts, nsswitch.conf, > resolv.conf and the libnss libraries.=20 Just being pedantic: not actually PHP, but the resolver.=20 > I've copied them to the chroot, but the resolving still fails. strace= > showed failed accesses to /dev/urandom and /dev/log, but mounting /de= v > in the chroot didn't help. What does your strace show when you have mounted /dev in your chroot (with -o bind) ? --=20 Per Jessen, Z=C3=BCrich (10.1=C2=B0C)
|
Pages: 1 Prev: SEO Experts? Next: Heredocs, print_r() and newline "\n" and fnmatch() -curiousfailures ... |