Kbase P137067: How to set up webspeed cgiip messenger in Apache JAIL enviornment?
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
10/11/2008 |
|
Status: Unverified
GOAL:
What is Apache JAIL environment?
GOAL:
How to set up WebSpeed cgiip messenger in Apache JAIL environment?
FACT(s) (Environment):
Apache
UNIX
OpenEdge 10.x
Progress 9.x
WebSpeed 3.x
FIX:
Apache by default runs as a non-root user, which will limit any damage to what can be done as a normal user with a local shell. Of course, allowing what amounts to an anonymous guest account falls rather short of the security requirements for most Apache servers, so an additional step can be taken - that is, running Apache in a chroot jail.
The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon can see to the root directory of the jail. Additionally, since the jail only needs to support Apache, the programs available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.
After compiled necessary modules and configured Apache to run in JAIL environment, perform following steps to set up cgiip messenger:
1. Find the shared library dependencies of cgiip messenger. These will need to be copied into the chroot jail later. To find the shared library dependencies of cgiip, execute the following command (following is example from HPUX):
ldd $DLC/bin/cgiip
/usr/lib/libc.2 => /usr/lib/libc.2
/usr/lib/libdld.2 => /usr/lib/libdld.2
/usr/lib/libc.2 => /usr/lib/libc.2
/usr/lib/libcl.2 => /usr/lib/libcl.2
/usr/lib/libisamstub.1 => /usr/lib/libisamstub.1
/usr/lib/libdld.2 => /usr/lib/libdld.2
/usr/lib/libm.2 => /usr/lib/libm.2
2. Next, create directory structures under Apache JAIL directory /chroot/httpd as follows:
[root]# mkdir /chroot/httpd/lib
3. Copy all the dynamically linked libraries listed in step 1 into this JAILed directory, for example
cp /usr/lib/libc.2 /chroot/httpd/lib/
4. cgiip messenger also loads some libraries at runtime, for example $DLC/lib/libenhlog.so, these libraries also need to be copied over
Make following directory structure: /chroot/httpd/usr/dlc/lib
copy all shared objects into this directory cp $DLC/lib/* /chroot/httpd/usr/dlc/lib
5. Proceed with normal cgiip configuration instructions as specified in solution 19711