Re: [gentoo-user] Symlinking out of a chroot
Hi, On Sun, Nov 12, 2006 at 09:56:31AM -0500, Brian Davis wrote: Hey folks, I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. Does this effectively make the chroot worthless? i would suggest an alias for this - http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias Aliases werde made for this kind of problem ( data's were not in the documentroot) greetz alex -- * IMPORTANT: 217 config files in /etc need updating -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
Hi, On Mon, 13 Nov 2006 12:04:51 +0100 Alex [EMAIL PROTECTED] wrote: i would suggest an alias for this - http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias Aliases werde made for this kind of problem ( data's were not in the documentroot) Yep, but they're not made for *this* exact kind of problem: Here, the file isn't even in the accessible filesystem namespace. BTW, I've always found it easier to manage a bunch of symlinks instead of numerous .htaccess files. But again, in the OP's case neither works. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
As they say, security comes at the cost of convenience (and storage in this case), so I think the most secure solution is to just copy over the data I need to publish to the chroot. I've given it thought, and I don't want the potential apache hax0r to get to (and potentially delete) all my original pictures/videos. The downside is that I'll probably have 90% of them copied to the /chroot/www directory for publishing. The mount --bind thing looked nice, but you can't change the mount permissions from what those directories already have, i.e. if I have /stuff/pics on a filesystem mounted rw, I can't then mount --bind it to ro. At least that's what the man page says. If I could mount it to ro, that might be a better alternative. Thanks, Brian Hans-Werner Hilse wrote: Hi, On Mon, 13 Nov 2006 12:04:51 +0100 Alex [EMAIL PROTECTED] wrote: i would suggest an alias for this - http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias Aliases werde made for this kind of problem ( data's were not in the documentroot) Yep, but they're not made for *this* exact kind of problem: Here, the file isn't even in the accessible filesystem namespace. BTW, I've always found it easier to manage a bunch of symlinks instead of numerous .htaccess files. But again, in the OP's case neither works. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
Hi, On Mon, 13 Nov 2006 09:51:33 -0500 Brian Davis [EMAIL PROTECTED] wrote: The mount --bind thing looked nice, but you can't change the mount permissions from what those directories already have, i.e. if I have /stuff/pics on a filesystem mounted rw, I can't then mount --bind it to ro. At least that's what the man page says. If I could mount it to ro, that might be a better alternative. Not the --bind way, that's right. You could, however, do it with a loopback'ed network fs mount. Depending on the usage scenario and production stability needed, that might be an option. BTW, if this data is valuable, you should have backups on different media, but you certainly know that... -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
Brian Davis wrote:
--snip---
The mount --bind thing looked nice, but you can't change the mount
permissions from what those directories already have, i.e. if I have
/stuff/pics on a filesystem mounted rw, I can't then mount --bind it
to ro. At least that's what the man page says. If I could mount it to
ro, that might be a better alternative.
--snip--
Well, you could make /stuff/pics writable only for its owner, not to the
apache user. For example:
chown -R brian:root /stuff/pics
#/stuff/pics and everything below is owned by brian and the root group
chmod -R 644 /stuff/pics
#/stuff/pics and everything below is writable to brian and readable to all
find /stuff/pics -type d -exec chmod 755 {} \;
#/stuff/pics and all dirs below are searchable to everyone
--
Best regards,
Daniel
--
gentoo-user@gentoo.org mailing list
[gentoo-user] Symlinking out of a chroot
Hey folks, I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. Does this effectively make the chroot worthless? Thanks! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
Brian Davis wrote: Hey folks, I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. Does this effectively make the chroot worthless? Thanks! I'm not sure if it would work at all. If I were you I would make dirs instead of symlinks and use mount --bind. HTH -- Best regards, Daniel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian Davis wrote: Hey folks, I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. Does this effectively make the chroot worthless? Thanks! At a quick guess, I suspect the symlink will end up pointing to something like, /link will be a symlink pointing to '../../blah', which won't be valid inside the chroot. Or will point to '/var/www/mydata' which again, won't be valid inside the chroot. However I don't have a chroot environment here with which to test this. But basically the symlink will be broken inside the choort. Shawn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFVz/hQv6DFiTKHhkRAoDTAJwPq1dUX3+Lc6FkTXhXKdUaMnMYLgCfcJFN yfy4N1cwW9QVvmOdtYyKmNE= =ke/5 -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Symlinking out of a chroot
On Sunday 12 November 2006 08:56, Brian Davis [EMAIL PROTECTED] wrote about '[gentoo-user] Symlinking out of a chroot': I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. You can't symlink out of a chroot. You can symlink into one. You can hardlink in both directions. Of course, in your case, I'd say your best option is probably mounting with the bind option with symlinks within the chroot as needed. -- If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability. -- Gentoo Developer Ciaran McCreesh pgpZzv2KkzjKf.pgp Description: PGP signature
Re: [gentoo-user] Symlinking out of a chroot
Hi, On Sun, 12 Nov 2006 09:56:31 -0500 Brian Davis [EMAIL PROTECTED] wrote: I will be running my apache2 server in a chroot. Most of my data for the server (e.g. pictures, user webpages) are on another partition from my chroot. I don't want to move all that data into the apache chroot if I don't have to. Therefore I would have soft symlinks from the chroot to the data. Does this effectively make the chroot worthless? No, the links just wouldn't work. But you can mount --bind /source /chroot/target them. -hwh -- gentoo-user@gentoo.org mailing list
