How do I chroot CGI scripts?

When you chroot a CGI script, there is absolutely no way it can access files outside the chroot 'jail' you limit it to. This has security benefits, but it also means that it cannot access any libraries or configuration files that are outside of this jail directory.

Here is an example directory structure required for chrooting. In this example, an ISP has all his web sites under /web. With the docroots being /web/docroot/www.foo.com and /web/docroot/www.bar.com. The ISP has decided to chroot all CGIs into a chroot jail of "/web".

The first thing the ISP needs to do is to copy across the essential libraries. On RHEL 4, the following directory structure contains enough of the core libraries to get a simple CGI script to run.


/web/bin
cat       echo      hostname
id        sh
 
/web/lib:
ld-linux.so.2  libc.so.6
libdl.so.2     libtermcap.so.2

Note that if you use languages like Perl for CGIs, you'll need to copy across all the Perl binaries and libraries into the chrooted jail.

Content Manager [Administrator] 15 June 2006

Comments are closed for this post.

Recently...

Other Resources

The ZWS Online Support service is provided as is, without warranty or specific endorsement by Zeus Technology. For technical support queries, please contact Zeus Technical Support. Articles and comments may not reflect the views of Zeus Technology. • Disclaimer and Privacy statement.