George P Boutwell on 2005-07-15 10:56:48 -0500: > On 7/15/05, Alec Berryman <alec@thened.net> wrote: > > OpenBSD places all of the user's public_html directories under the > > Apache chroot. I've found it no hassle to put a symlink in the user's > > directory, but then again I wasn't doing quotas. > > Alec, Thanks for the suggestion. I had thought of this, but I > wondered if there might be a way to abuse the symlink to break out of > the chroot jail. I understand that would be more so if the symlink > where the other way (from the chroot, back to the home users dir), but > I don't know about from home user's dir to chroot? Let me clarify what I said: the directory which holds the content accessible under http://www.example.com/~user/ is physically locate under the chroot, and a symlink to that directory is placed in the user's home directory. Neither the user's home directory nor the symlink are not under the chroot; you don't have to worry about your machine being compromised through that symlink. Doing the setup the other way around (with the symlink under the chroot and the directory outside the chroot) would not work - the program in the chroot would follow the symlink relative to the chroot and end up somewhere other than the intended directory (most likely nowhere).
Attachment:
pgpYxxYLkqjS8.pgp
Description: PGP signature