Sun Java System Web Server 6.1 SP12 Programmer's Guide

Specifying a Chroot Directory for a Virtual Server

To further improve security, these CGI scripts should be prevented from accessing data outside the virtual server directory.

First, set up the chroot environment. The exact steps required to set up the chroot environment vary by operating system. For instructions, consult your operating system’s documentation. The man pages for ftpd and chroot are good place to start.

These are the steps required for Solaris versions 2.6 through 8

ProcedureTo specify a Chroot Directory for a Virtual Server

  1. Log in as the superuser.

    su

  2. Change to the chroot directory. This is typically the vs_dir directory mentioned in the previous section.

    cd chroot

  3. Create tmp in the chroot directory:

    mkdir tmp

    chmod 1777 tmp

  4. Create dev in the chroot directory:

    mkdir dev

    chmod 755 dev

  5. List /dev/tcp, and note the major and minor numbers of the resulting output. In this example, the major number is 11 and the minor number is 42:

    ls -lL /dev/tcp

    crw-rw-rw- 1 root sys 11, 42 Apr 9 1998 /dev/tcp

  6. Create the tcp device using the major and minor numbers:

    mknod dev/tcp c 11 42

    chmod 666 dev/tcp

  7. Repeat steps 5 and 6 for each of the following devices each device will have a different major and minor combination:

    /dev/udp /dev/ip /dev/kmem /dev/kstat /dev/ksyms /dev/mem /dev/null /dev/stderr /dev/stdin /dev/stdout /dev/ticotsord /dev/zero

  8. Set permissions on the devices in dev in the chroot directory:

    chmod 666 dev/*

  9. Create and populate lib and usr/lib in the chroot directory:

    mkdir usr

    mkdir usr/lib

    ln -s /usr/lib

    ln /usr/lib/* usr/lib

    You can ignore the messages this command generates.

    If the /usr/lib directory is on a different file system, replace the last command with the following:

    cp -rf /usr/lib/* usr/lib

  10. Create and populate bin and usr/bin in the chroot directory:

    mkdir usr/bin

    ln -s /usr/bin

    ln /usr/bin/* usr/bin

    You can ignore the messages this command generates.

    If the /usr/bin directory is on a different file system, replace the last command with the following:

    cp -rf /usr/bin/* usr/bin

  11. Create and populate etc in the chroot directory:

    mkdir etc

    ln /etc/passwd /etc/group /etc/netconfig etc

  12. Test the chroot environment:

    chroot chroot bin/ls -l

    The output should look something like this:

    lrwxrwxrwx   1 root   other   8 Jan 13 03:32 bin -> /usr/bin
    drwxr-xr-x   2 user    group   512 Jan 13 03:42 cgi-bin
    drwxr-xr-x   2 root   other   512 Jan 13 03:28 dev
    drwxr-xr-x   2 user    group   512 Jan 13 03:26 docs
    drwxr-xr-x   2 root   other   512 Jan 13 03:33 etc
    lrwxrwxrwx   1 root   other   8 Jan 13 03:30 lib -> /usr/lib
    drwxr-xr-x   4 root   other   512 Jan 13 03:32 usr

    Now you can set the chroot directory of the virtual server in one of these ways: