Date:         Tue, 09 Aug 1994 11:04:21 EDT
From:         "Brian T. Shelden" <shelden@spoke.law.cornell.edu>
To:           sanders@earth.com
Subject:      plexus chrooted
Reply-To:     bts1@cornell.edu

 
Tony--

I've enclosed a html file talking about what I had to do to 
run plexus chrooted, as per the comments in plexus.  The changes
you made adding $plexus_src made it much easier than in
previous versions.

I've left it at http://www.law.cornell.edu/~shelden/chrooted.html
if you want to point to it.

--Brian T. Shelden                      Systems Coordinator
bts1@cornell.edu                Legal Information Institute
(607) 255-9093                           Cornell Law School

<HTML><HEAD><TITLE>Running Plexus Chrooted</TITLE></HEAD>
<BODY>
<H1>A Guide to Running Plexus Chrooted</H1>

Here's what I had to do to get plexus to run chrooted.<p>

Firstly, you need to follow the normal instructions on how
to set up a chrooted directory.  Most <CODE>ftpd(8)</CODE> man 
pages explain in better detail for your system than
I could.<P>

Basically, you need a minimal $plexus_top/etc/passwd and $plexus_top/etc/group
(with no encrypted passwords), $plexus_top/dev/null, $plexus_top/dev/zero,
whatever programs you need in $plexus_top/bin/.  Some systems also
need copies of the shared libraries: $plexus_top/usr/lib/ld.so,
$plexus_top/usr/lib/libc.so.1.?, $plexus_top/usr/lib/libdl.so.1.0 .  <P>

<H2>&amp;process_config</H2>
Next, if you want $plexus_top != $plexus_src, you will have to 
change the plexus source slightly.  The problem is that you 
don't want to call &amp;process_config() as root, yet only root
can chroot.  So what do you do if you don't want your local.conf
under $plexus_top?<P>

Well, I punted. ;)  I set the effective uid to the safe uid
before &amp;process_config, then became root so the chroot would
work, and then finally became the safe user for good.<P>

These shenaniagans aren't necessary if $plexus_top is the same
as $plexus_src, or if you're not chrooting.  In those cases, 
I've tried to mantain the original functionality.
<PRE>
    if ($running_as_root) {
        if ($http_chroot) {
            if ($plexus_src) {
                $> = $uid;
                &main'debug(sprintf("Calling &pc from line %d", __LINE__));
                &process_config(CFG, $http_localcfg);
                $< = $> = 0;
                (chroot($plexus_top) 
                    || die "chroot: $plexus_top: $!", chdir("/"));
                $< = $> = $uid;
            }
            else {
                (chroot($plexus_top) 
                    || die "chroot: $plexus_top: $!", chdir("/"));
                $< = $> = $uid;
                &main'debug(sprintf("Calling &pc from line %d", __LINE__));
                &process_config(CFG, $http_localcfg);
            }
        }
        else {
            $< = $> = $uid;
            &main'debug(sprintf("Calling &pc from line %d", __LINE__));
            &process_config(CFG, $http_localcfg);
        }
    }
    else {
        &main'debug(sprintf("Calling &pc from %d", __LINE__));
        &process_config(CFG, $http_localcfg);
    }
</PRE>

<H2>CGI</H2>

You also have to make a small change in cgi.pl, if you're planning
to use it.  $PATH_TRANSLATED should be the same as $PATH_INFO
when you're running chrooted.  You also will probably need my
patches to use true redirection for CGI scripts that return
Location: headers.<P>

My changes are <B>in bold</B>.

<PRE>
        %ENV=();
<B>        local($top) = $'http_chroot ? '' : $'plexus_top;
        $ENV{"PATH"} = "/bin:/usr/ucb:/usr/local/bin:$top$rest";</B>
        $ENV{"SERVER_SOFTWARE"} = $'server_version;
        $ENV{"SERVER_NAME"} = $'hostname;
        $ENV{"GATEWAY_INTERFACE"} = "CGI/1.1";
        $ENV{"SERVER_PORT"} = $'plexus_port;
        ($ENV{"REQUEST_METHOD"} = $'action) =~ tr/a-z/A-Z/;
        if ($'version) {
            $ENV{'SERVER_PROTOCOL'} = $'htrq_version;
        } else {
            $ENV{'SERVER_PROTOCOL'} = 'HTTP';
            $ENV{'HTTP_ACCEPT'} = 'text/html';
        }
        $ENV{"PATH_INFO"} = $rest;
<B>        $ENV{"PATH_TRANSLATED"} = $top . $rest;</B>
        $ENV{"SCRIPT_NAME"} = "/$script";
        $ENV{"QUERY_STRING"} = $query if defined $query;
        local($af, $port, $inetaddr) = unpack($'sockaddr, $'peeraddr);
        $ENV{"REMOTE_HOST"} = &'hostname($inetaddr);
        $ENV{'REMOTE_ADDR'} = join(".",unpack("C4", $inetaddr));
</PRE>


<HR>
<ADDRESS><A HREF=http://www.law.cornell.edu/~shelden/>shelden</A></ADDRESS>

