[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Web mail
openwebmail is cool in that is is file compatible with pine, i.e.
uses the same folder system etc. so you can switch back and forth.
but it is a mass of perl running suid. why not just use a gun to
shoot yourself? i had a conversation about this with bellovin, cheswick,
and vidrine (freebsd security). jacques suggested the appended hack i
have not tested.
randy
----
Date: Wed, 31 Jul 2002 09:15:34 -0500
From: "Jacques A. Vidrine" <n at nectar.cc>
To: Randy Bush <randy at psg.com>
On FreeBSD, I use this quick hack with apache+mod_ssl. Better than
nothing. /etc/http-jail.conf is three lines, looks like this:
/home/www
gw.nectar.cc
208.42.49.153
Let's see if I can recall how I set this up.
I believe I did
# cd /usr/ports/www/apache13+mod_ssl
# make patch
# (cd `make -V .WRKSRC` && patch -s) < /some/path/http-jail.patch
# make install
Then something like this...
# mkdir -p /home/www/tmp /home/www/dev /home/www/var/log /home/www/etc
# (cd /home/www/dev && sh /dev/MAKEDEV std)
# chmod 1777 /home/www/tmp
# pkg_info -qL apache+mod_ssl\* | sed 's;^/;;g' | (cd / && cpio -o) | \
(cd /home/www && cpio -idm)
I forget how I determined what needed to go in /usr/lib ... probably a
combination of `ldd' and trial & error. One also has to set up a few
things in etc and so forth. I could email you the approx. 900 line
listing of the files in my jail'd apache installation if it would be
helpful.
Cheers,
--
Jacques A. Vidrine <n at nectar.cc> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
--- src/main/http_main.c.orig Sun Jul 22 11:42:35 2001
+++ src/main/http_main.c Sun Jul 22 12:22:27 2001
at at -312,6 +312,9 at at
static pid_t pgrp;
#endif
+#include <sys/jail.h>
+static void goto_jail(void);
+
/* one_process --- debugging mode variable; can be set from the command line
* with the -X flag. If set, this gets you the child_main loop running
* in the process which originally started up (no detach, no make_child),
at at -4963,6 +4966,7 at at
int sock_out;
char *s;
+ goto_jail();
#ifdef SecureWare
if (set_auth_parameters(argc, argv) < 0)
perror("set_auth_parameters");
at at -7487,3 +7491,58 at at
}
#endif /* USE_EXPAT */
+static void
+goto_jail(void) {
+ struct jail j;
+ FILE *fp;
+ size_t n;
+ char *p, *q;
+
+ j.version = 0;
+ j.path = NULL;
+ j.hostname = NULL;
+ j.ip_number = NULL;
+
+ if ((fp = fopen("/etc/http-jail.conf", "r")) == NULL) {
+ perror("can't read /etc/http-jail.conf");
+ exit(1);
+ }
+
+#define getline(x) do { \
+if ((p = fgetln(fp, &n)) == NULL) { \
+ fprintf(stderr, "couldn't parse %s\n", (x)); \
+ exit(1); \
+} \
+if ((q = malloc(n)) == NULL) { \
+ perror("malloc"); \
+ exit(1); \
+} \
+memcpy(q, p, n); \
+p = q; \
+p[n-1] = '\0'; \
+strsep(&p, " \t\n"); \
+} while(0)
+
+ getline("path");
+ j.path = q;
+ getline("hostname");
+ j.hostname = q;
+ getline("IP address");
+
+ if (inet_aton(q, (struct in_addr *)&j.ip_number) == 0) {
+ fprintf(stderr, "invalid IP address %s\n", q);
+ exit(1);
+ }
+ j.ip_number = ntohl(j.ip_number);
+
+ fprintf(stderr, "jail %s %s %s\n", j.path, j.hostname, q);
+ if (jail(&j) < 0) {
+ perror("jail");
+ exit(1);
+ }
+ free(j.path);
+ free(j.hostname);
+ free(q);
+
+#undef getline
+}
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org