How to emulate 'chroot /jail/ su httpd -c' ?

[Tetsuo Handa]

Hello,

Sorry for querying userland program in this list.

I have the following line in /etc/rc.d/init.d/httpd

daemon chroot /jail/ su httpd -c $httpd $OPTIONS

This needs /bin/su after /usr/sbin/chroot, but I don't
want to place /bin/su (and related files) in the jail.
So, I want to do this with one program.

But, the problem is... there are so many 'set*id()'
system calls and their behavior are slightly differ.
I'm not sure how to emulate 'chroot /jail/ su httpd -c'.
The following is the code I wrote, but is this equivalent?
(I want Apache never re-gain root privilege unless
executing setuid-root program.)

--- Is this a correct code to 'chroot /jail/ su httpd -c' ?---

#include <stdio.h>
#include <pwd.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
    struct passwd *pw = getpwnam("httpd");
    if (!pw) return 1;
    if (chroot("/jail/") || chdir("/") || setuid(pw->pw_uid) || setgid(pw->pw_gid)) return 1;
    printf("OK\n"); // Now call execvl() to run Apache.
    return 0;
}

---

Kernel version is 2.4.25.
No need to worry for listening port 80,
I'm using iptables to redirect port 80 to 8000
and Apache doesn't need root privilege from the beginning.


Regards...

                  PANDA   (a5497108 at anet.ne.jp)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/