Sun Java System Web Server 7.0 Update 3 Developer's Guide

ProcedureSpecifying a Chroot Directory for a Virtual Server

To further improve security, the CGI scripts must be prevented from accessing data above and outside of the document-root directory.

Before You Begin

Set up the chroot environment. The exact steps required to set up the chroot environment vary by operating system. For instructions, refer your operating system’s documentation, and see the man pages for the ftpd and chroot commands.

Steps required for Solaris versions 2.8 through 10 are described in the following procedure:

  1. Log in as a superuser.

  2. Change to the chroot directory.

    chroot is typically the document-root directory of the virtual server.

    cd chroot

  3. Create tmp in the chroot directory and set appropriate permissions.

    mkdir tmp

    chmod 1777 tmp

  4. Create dev in the chroot directory and set appropriate permissions.

    mkdir dev

    chmod 755 dev

  5. List /dev/tcp, and note the major and minor numbers of the resulting output.

    # ls -lL /dev/tcp

    crw-rw-rw- 1 root sys 11, 42 Apr 9 1998 /dev/tcp

    In this example, the major number is 11 and the minor number is 42.

  6. Create the tcp device using the major and minor numbers.

    mknod dev/tcp c 11 42

    chmod 666 dev/tcp

  7. Repeat steps 4, 5, and 6 for each of the following devices.


    Note –

    Each device will have a different major and minor number combination.


    /dev/udp /dev/ip /dev/kmem /dev/kstat /dev/ksyms /dev/mem /dev/null /dev/stderr /dev/stdin /dev/stdout /dev/ticotsord /dev/zero

  8. Set permissions on the devices in dev in the chroot directory.

    chmod 666 dev/*

  9. Create and populate lib and usr/lib in the chroot directory.


    mkdir usr
    mkdir usr/lib
    ln -s /usr/lib
    ln /usr/lib/* usr/lib

    You can ignore the messages this command generates.

    If the /usr/lib directory is on a different file system, use the following command:

    cp -rf /usr/lib/* usr/lib

  10. Create and populate bin and usr/bin in the chroot directory.


    mkdir usr/bin
    ln -s /usr/bin
    ln /usr/bin/* usr/bin

    You can ignore the messages this command generates.

    If the /usr/bin directory is on a different file system, use the following command:

    cp -rf /usr/bin/* usr/bin

  11. Create and populate etc in the chroot directory.

    mkdir etc

    ln /etc/passwd /etc/group /etc/netconfig etc

  12. Test the chroot environment.

    chroot chroot bin/ls -l

    The output should look like this example:


        total 14
         lrwxrwxrwx                1 root            other            8 Jan 13 03:32 bin -\> /usr/bin
         drwxr-xr-x                2 user            group            512 Jan 13 03:42 cgi-bin
         drwxr-xr-x                2 root            other            512 Jan 13 03:28 dev
         drwxr-xr-x                2 user            group            512 Jan 13 03:26 docs
         drwxr-xr-x                2 root            other            512 Jan 13 03:33 etc
         lrwxrwxrwx                1 root            other            8 Jan 13 03:30 lib -\> /usr/lib
         drwxr-xr-x                4 root            other            512 Jan 13 03:32 usr
  13. Set the virtual server’s chroot directory in one of the following ways.