[gentoo-user] Symlinking out of a chroot

[gentoo-user] Symlinking out of a chroot

[Brian Davis]

Hey folks,

I will be running my apache2 server in a chroot. Most of my data for the 
server (e.g. pictures, user webpages) are on another partition from my 
chroot.  I don't want to move all that data into the apache chroot if I 
don't have to.  Therefore I would have soft symlinks from the chroot to 
the data.  Does this effectively make the chroot worthless?

Thanks!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Daniel Iliev]

Brian Davis wrote:
> Hey folks,
>
> I will be running my apache2 server in a chroot. Most of my data for
> the server (e.g. pictures, user webpages) are on another partition
> from my chroot.  I don't want to move all that data into the apache
> chroot if I don't have to.  Therefore I would have soft symlinks from
> the chroot to the data.  Does this effectively make the chroot worthless?
>
> Thanks!


I'm not sure if it would work at all. If I were you I would make dirs
instead of symlinks and use "mount --bind".

HTH

-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Shawn Haggett]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Davis wrote:
> Hey folks,
> 
> I will be running my apache2 server in a chroot. Most of my data for the
> server (e.g. pictures, user webpages) are on another partition from my
> chroot.  I don't want to move all that data into the apache chroot if I
> don't have to.  Therefore I would have soft symlinks from the chroot to
> the data.  Does this effectively make the chroot worthless?
> 
> Thanks!

At a quick guess, I suspect the symlink will end up pointing to
something like, /link will be a symlink pointing to '../../blah', which
won't be valid inside the chroot. Or will point to '/var/www/mydata'
which again, won't be valid inside the chroot. However I don't have a
chroot environment here with which to test this. But basically the
symlink will be broken inside the choort.

Shawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFVz/hQv6DFiTKHhkRAoDTAJwPq1dUX3+Lc6FkTXhXKdUaMnMYLgCfcJFN
yfy4N1cwW9QVvmOdtYyKmNE=
=ke/5
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 913 bytes --]

On Sunday 12 November 2006 08:56, Brian Davis <bridavis@comcast.net> wrote 
about '[gentoo-user] Symlinking out of a chroot':
> I will be running my apache2 server in a chroot. Most of my data for the
> server (e.g. pictures, user webpages) are on another partition from my
> chroot.  I don't want to move all that data into the apache chroot if I
> don't have to.  Therefore I would have soft symlinks from the chroot to
> the data.

You can't symlink out of a chroot.  You can symlink into one.  You can 
hardlink in both directions.

Of course, in your case, I'd say your best option is probably mounting with 
the bind option with symlinks within the chroot as needed.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Symlinking out of a chroot

[Hans-Werner Hilse]

Hi,

On Sun, 12 Nov 2006 09:56:31 -0500
Brian Davis <bridavis@comcast.net> wrote:

> I will be running my apache2 server in a chroot. Most of my data for the 
> server (e.g. pictures, user webpages) are on another partition from my 
> chroot.  I don't want to move all that data into the apache chroot if I 
> don't have to.  Therefore I would have soft symlinks from the chroot to 
> the data.  Does this effectively make the chroot worthless?

No, the links just wouldn't work. But you can 
"mount --bind /source /chroot/target" them.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Alex]

Hi,

On Sun, Nov 12, 2006 at 09:56:31AM -0500, Brian Davis wrote:
> Hey folks,
> 
> I will be running my apache2 server in a chroot. Most of my data for the 
> server (e.g. pictures, user webpages) are on another partition from my 
> chroot.  I don't want to move all that data into the apache chroot if I 
> don't have to.  Therefore I would have soft symlinks from the chroot to 
> the data.  Does this effectively make the chroot worthless?
> 

i would suggest an alias for this ->
http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias

Aliases werde made for this kind of problem ( data's were not in the
documentroot)

greetz
alex

-- 
* IMPORTANT: 217 config files in /etc need updating
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Hans-Werner Hilse]

Hi,

On Mon, 13 Nov 2006 12:04:51 +0100 Alex <alex@zengers.de> wrote:

> i would suggest an alias for this ->
> http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias
> 
> Aliases werde made for this kind of problem ( data's were not in the
> documentroot)

Yep, but they're not made for *this* exact kind of problem: Here, the
file isn't even in the accessible filesystem namespace.

BTW, I've always found it easier to manage a bunch of symlinks instead
of numerous .htaccess files. But again, in the OP's case neither works.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Brian Davis]

As they say, security comes at the cost of convenience (and storage in 
this case), so I think the most secure solution is to just copy over the 
data I need to publish to the chroot. I've given it thought, and I don't 
want the potential apache hax0r to get to (and potentially delete) all 
my original pictures/videos. The downside is that I'll probably have 90% 
of them copied to the /chroot/www directory for publishing.

The mount --bind thing looked nice, but you can't change the mount 
permissions from what those directories already have, i.e. if I have 
/stuff/pics on a filesystem mounted rw, I can't then mount --bind it to 
ro.  At least that's what the man page says. If I could mount it to ro, 
that might be a better alternative.

Thanks,
Brian

Hans-Werner Hilse wrote:
> Hi,
>
> On Mon, 13 Nov 2006 12:04:51 +0100 Alex <alex@zengers.de> wrote:
>
>   
>> i would suggest an alias for this ->
>> http://httpd.apache.org/docs/2.0/mod/mod_alias.html#alias
>>
>> Aliases werde made for this kind of problem ( data's were not in the
>> documentroot)
>>     
>
> Yep, but they're not made for *this* exact kind of problem: Here, the
> file isn't even in the accessible filesystem namespace.
>
> BTW, I've always found it easier to manage a bunch of symlinks instead
> of numerous .htaccess files. But again, in the OP's case neither works.
>
> -hwh
>   
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Hans-Werner Hilse]

Hi,

On Mon, 13 Nov 2006 09:51:33 -0500 Brian Davis <bridavis@comcast.net>
wrote:

> The mount --bind thing looked nice, but you can't change the mount 
> permissions from what those directories already have, i.e. if I have 
> /stuff/pics on a filesystem mounted rw, I can't then mount --bind it
> to ro.  At least that's what the man page says. If I could mount it
> to ro, that might be a better alternative.

Not the "--bind" way, that's right. You could, however, do it with a
loopback'ed network fs mount. Depending on the usage scenario and
production stability needed, that might be an option.

BTW, if this data is valuable, you should have backups on different
media, but you certainly know that...

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Brian Davis]

> Not the "--bind" way, that's right. You could, however, do it with a
> loopback'ed network fs mount. 
Thanks Hans-Werner, I'll check that out!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Symlinking out of a chroot

[Daniel Iliev]

Brian Davis wrote:
> --snip---
>
> The mount --bind thing looked nice, but you can't change the mount
> permissions from what those directories already have, i.e. if I have
> /stuff/pics on a filesystem mounted rw, I can't then mount --bind it
> to ro.  At least that's what the man page says. If I could mount it to
> ro, that might be a better alternative.
> --snip--


Well, you could make /stuff/pics writable only for its owner, not to the
apache user. For example:

chown -R brian:root /stuff/pics
#/stuff/pics and everything below is owned by brian and the root group

chmod -R 644 /stuff/pics
#/stuff/pics and everything below is writable to brian and readable to all

find /stuff/pics -type d -exec chmod 755 {} \;
#/stuff/pics and all dirs below are searchable to everyone


-- 
Best regards,
Daniel


-- 
gentoo-user@gentoo.org mailing list