[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Light weight IDSes and then some

George P Boutwell on 2005-07-15 10:56:48 -0500:

> On 7/15/05, Alec Berryman <alec@thened.net> wrote:
> > OpenBSD places all of the user's public_html directories under the
> > Apache chroot.  I've found it no hassle to put a symlink in the user's
> > directory, but then again I wasn't doing quotas.
> Alec, Thanks for the suggestion.  I had thought of this, but I
> wondered if there might be a way to abuse the symlink to break out of
> the chroot jail.  I understand that would be more so if the symlink
> where the other way (from the chroot, back to the home users dir), but
> I don't know about from home user's dir to chroot?

Let me clarify what I said: the directory which holds the content
accessible under http://www.example.com/~user/ is physically locate
under the chroot, and a symlink to that directory is placed in the
user's home directory.  Neither the user's home directory nor the
symlink are not under the chroot; you don't have to worry about your
machine being compromised through that symlink.

Doing the setup the other way around (with the symlink under the
chroot and the directory outside the chroot) would not work - the
program in the chroot would follow the symlink relative to the chroot
and end up somewhere other than the intended directory (most likely

Attachment: pgpYxxYLkqjS8.pgp
Description: PGP signature

Reply to: