# Apache2 and jailed users

## Acidgen

Hi everybody!

Have a quizz for ya'll  :Wink: 

I have got apache2 outside of a jail (chrooted env),  in the main system that is.

all users are jailed to /home/jail ( with ofcourse their home dirs  ex /home/jail/home/USER )

I can't seem to get apache to point to their 

/home/jail/home/*/public_html

rechecked all perms, still get access denied, i have tried vhosts, i have tried changeing apache main conf (the /home/*/public_html)

i have tried symlinking in both directions, still problems.

Now, any solutions, or do i REALLY have to jail apache,  the hole point is that the aren't supposed to be able to reach apache ofcouse  or anyother

vital component.  So whats the deal if i chroot everything(apache2,mysql etc) to /home/jail.  if they hack the jail, then they will bring down apache.

I just want the suckers to create their own homepages in their public_html.

Please, give me some ideas here.

-- Lucas

----------

## Acidgen

no gurus around heh?

----------

## j-m

Post your Apache configuration - relevant parts only, comments stripped...

----------

## Acidgen

How do i know whats relevant or not when i dont know what the prob is, since every other dir i point userhomes public_html i alright

even /tmp/public_html  :Very Happy: 

Anyway, heres the HUGE commonapache.conf

```
User apache

Group apache

ServerAdmin root@localhost

#DocumentRoot /var/www/localhost/htdocs

<Directory />

  Options -All -Multiviews

  AllowOverride None

  <IfModule mod_access.c>

    Order deny,allow

    Deny from all

  </IfModule>

</Directory>

<IfModule mod_userdir.c>

    UserDir public_html

</IfModule>

<IfModule mod_dir.c>

    DirectoryIndex index.html index.html.var index.php index.php3 index.shtml index.cgi index.pl index.htm Default.htm default.htm

</IfModule>

AccessFileName .htaccess

<IfModule mod_access.c>

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

</IfModule>

UseCanonicalName On

<IfModule mod_mime.c>

    TypesConfig conf/mime.types

</IfModule>

DefaultType text/plain

<IfModule mod_mime_magic.c>

    MIMEMagicFile conf/magic

</IfModule>

HostnameLookups Off

EnableMMAP on

<IfModule mod_log_config.c>

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost

    <IfModule mod_logio.c>

        # You need to enable mod_logio.c to use %I and %O

        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    </IfModule>

ServerTokens Full

ServerSignature On

<IfModule mod_alias.c>

    Alias /tinki /home/giota/public_html/tinki

    ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/

    ScriptAlias /protected-cgi-bin/ /var/www/localhost/protected-cgi-bin/

    ScriptAliasMatch ^/~([^/]*)/cgi-bin/(.*) /home/$1/public_html/cgi-bin/$2

    <IfModule mod_perl.c>

   #Provide two aliases to the same cgi-bin directory,

   #to see the effects of the 2 different mod_perl modes

   #for Apache::Registry Mode

   Alias /perl/ /var/www/localhost/perl/

   #for Apache::Perlrun Mode

   Alias /cgi-perl/ /var/www/localhost/perl/

    </IfModule>

</IfModule>

<IfModule mod_autoindex.c>

    IndexOptions FancyIndexing VersionSort NameWidth=*

    AddIconByEncoding (CMP,/icons/compressed.png) x-compress x-gzip

    AddIconByType (TXT,/icons/text.png) text/*

    AddIconByType (IMG,/icons/image2.png) image/*

    AddIconByType (SND,/icons/sound2.png) audio/*

    AddIconByType (VID,/icons/movie.png) video/*

    AddIcon /icons/binary.gif .bin .exe

    AddIcon /icons/binhex.gif .hqx

    AddIcon /icons/tar.gif .tar

    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip .bz2

    AddIcon /icons/a.gif .ps .ai .eps

    AddIcon /icons/layout.gif .html .shtml .htm .pdf

    AddIcon /icons/text.gif .txt

    AddIcon /icons/c.gif .c

    AddIcon /icons/p.gif .pl .py .php .php3

    AddIcon /icons/f.gif .for

    AddIcon /icons/dvi.gif .dvi

    AddIcon /icons/uuencoded.gif .uu

    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

    AddIcon /icons/tex.gif .tex

    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..

    AddIcon /icons/hand.right.gif README

    AddIcon /icons/folder.gif ^^DIRECTORY^^

    AddIcon /icons/blank.gif ^^BLANKICON^^

    DefaultIcon /icons/unknown.gif

    ReadmeName README.html

    HeaderName HEADER.html

    IndexIgnore .??* *~ *# HEADER* RCS CVS *,v *,t

</IfModule>

<IfModule mod_mime.c>

    AddEncoding x-compress Z

    AddEncoding x-gzip gz tgz

    AddLanguage ca .ca

    AddLanguage cz .cz

    AddLanguage da .dk

    AddLanguage de .de

    AddLanguage el .el

    AddLanguage en .en

    AddLanguage es .es

    AddLanguage et .ee

    AddLanguage fr .fr

    AddLanguage he .he

    AddLanguage hr .hr

    AddLanguage it .it

    AddLanguage ja .ja

    AddLanguage ko .ko

    AddLanguage kr .kr

    AddLanguage ltz .ltz

    AddLanguage ltz .lu

    AddLanguage nl .nl

    AddLanguage nn .nn

    AddLanguage no .no

    AddLanguage pl .po

    AddLanguage pt-br .pt-br

    AddLanguage pt .pt

    AddLanguage ru .ru

    AddLanguage sv .se

    AddLanguage tw .tw

    AddLanguage zh-tw .tw

    AddDefaultCharset ISO-8859-1

    <IfModule mod_negotiation.c>

        LanguagePriority en fr de es it da nl et el ja kr no pl pt pt-br ru ltz ca sv tw

    </IfModule>

    <IfModule mod_negotiation.c>

        ForceLanguagePriority Prefer Fallback

    </IfModule>

    AddCharset ISO-8859-1  .iso8859-1  .latin1

    AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen

    AddCharset ISO-8859-3  .iso8859-3  .latin3

    AddCharset ISO-8859-4  .iso8859-4  .latin4

    AddCharset ISO-8859-5  .iso8859-5  .latin5 .cyr .iso-ru

    AddCharset ISO-8859-6  .iso8859-6  .latin6 .arb

    AddCharset ISO-8859-7  .iso8859-7  .latin7 .grk

    AddCharset ISO-8859-8  .iso8859-8  .latin8 .heb

    AddCharset ISO-8859-9  .iso8859-9  .latin9 .trk

    AddCharset ISO-2022-JP .iso2022-jp .jis

    AddCharset ISO-2022-KR .iso2022-kr .kis

    AddCharset ISO-2022-CN .iso2022-cn .cis

    AddCharset Big5        .Big5       .big5

    AddCharset WINDOWS-1251 .cp-1251   .win-1251

    AddCharset CP866       .cp866

    AddCharset KOI8-r      .koi8-r .koi8-ru

    AddCharset KOI8-ru     .koi8-uk .ua

    AddCharset ISO-10646-UCS-2 .ucs2

    AddCharset ISO-10646-UCS-4 .ucs4

    AddCharset UTF-8       .utf8

    AddCharset GB2312      .gb2312 .gb

    AddCharset utf-7       .utf7

    AddCharset utf-8       .utf8

    AddCharset big5        .big5 .b5

    AddCharset EUC-TW      .euc-tw

    AddCharset EUC-JP      .euc-jp

    AddCharset EUC-KR      .euc-kr

    AddCharset shift_jis   .sjis

    AddType application/x-tar .tgz

    AddType image/x-icon .ico

    AddHandler cgi-script .cgi

    AddHandler type-map var

    AddType text/html .shtml

    AddOutputFilter INCLUDES .shtml

    AddHandler imap-file map

</IfModule>

# End of document types.

#    Alias /error/ "/var/www/localhost/error/"

#

#    <Directory "/var/www/localhost/error">

#        AllowOverride None

#        Options IncludesNoExec

#        AddOutputFilter Includes html

#        AddHandler type-map var

#        Order allow,deny

#        Allow from all

#        LanguagePriority en es de fr sv

#        ForceLanguagePriority Prefer Fallback

#    </Directory>

#

#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var

#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var

#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var

#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var

#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var

#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var

#    ErrorDocument 410 /error/HTTP_GONE.html.var

#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var

#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var

#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var

#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var

#    ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var

#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var

#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var

#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var

#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var

#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

#ErrorDocument 500 "The server made a boo boo."

<Location /manual>

    Options Multiviews

    ErrorDocument 404 "The document you requested has not been installed on your system."

</Location>

<IfModule mod_setenvif.c>

    BrowserMatch "Mozilla/2" nokeepalive

    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

    BrowserMatch "RealPlayer 4\.0" force-response-1.0

    BrowserMatch "Java/1\.0" force-response-1.0

    BrowserMatch "JDK/1\.0" force-response-1.0

    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully

    BrowserMatch "^WebDrive" redirect-carefully

    BrowserMatch "^gnome-vfs" redirect-carefully

    BrowserMatch "^WebDAVFS" redirect-carefully

</IfModule>

<IfModule mod_status.c>

    <Location /server-status>

        SetHandler server-status

        <IfModule mod_access.c>

          Order deny,allow

          Deny from all

          allow from 127.0.0.1

          #Allow from .your_domain.com

        </IfModule>

    </Location>

</IfModule>

<IfModule mod_info.c>

    <Location /server-info>

        SetHandler server-info

        <IfModule mod_access.c>

        Order deny,allow

        Deny from all

        allow from 127.0.0.1

        #Allow from .your_domain.com

        </IfModule>

    </Location>

</IfModule>

<IfModule mod_perl.c>

    <Location /perl-status>

        SetHandler perl-script

   <IfDefine MODPERL2>

   PerlResponseHandler Apache::Status

   </IfDefine>

   <IfDefine !MODPERL2>

        PerlResponseHandler ModPerl::Status

   </IfDefine>

        <IfModule mod_access.c>

          Order deny,allow

          Deny from all

          Allow from 127.0.0.1

        </IfModule>

    </Location>

</IfModule>

<IfModule mod_include.c>

#    XBitHack on

</IfModule>

<IfModule mod_deflate.c>

    <Directory "/var/www/localhost/htdocs/manual">

      AddOutputFilterByType DEFLATE text/html

    </Directory>

</IfModule>

<Directory /var/www/localhost/htdocs>

    Options -Indexes FollowSymLinks MultiViews

    AllowOverride All

    <IfModule mod_access.c>

      Order allow,deny

      Allow from all

    </IfModule>

</Directory>

<Directory /var/www/localhost/perl>

    AllowOverride All

    Options -Indexes FollowSymLinks MultiViews ExecCGI

    <IfModule mod_access.c>

      Order allow,deny

      Allow from all

    </IfModule>

</Directory>

<IfModule mod_cgid.c>

#    Scriptsock /cgisock

</IfModule>

<Directory /var/www/localhost/cgi-bin>

    AllowOverride All

    Options ExecCGI

    <IfModule mod_access.c>

      Order allow,deny

      Allow from all

    </IfModule>

</Directory>

<Directory /var/www/localhost/protected-cgi-bin>

    AllowOverride All

    Options ExecCGI

    <IfModule mod_access.c>

      Order deny,allow

      Deny from all

      Allow from 127.0.0.1

      #allow from .your_domain.com

    </IfModule>

</Directory>

#<Directory /home/*/public_html>

#    AllowOverride FileInfo AuthConfig Limit

#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

#    <Limit GET POST OPTIONS PROPFIND>

#        Order allow,deny

#        Allow from all

#    </Limit>

#    <LimitExcept GET POST OPTIONS PROPFIND>

#        Order deny,allow

#        Deny from all

#    </LimitExcept>

#</Directory>

###

### These settings are pretty flexible, and allow for Frontpage and XSSI

###

<Directory /home/jail/home*/public_html>

    AllowOverride All

    Options MultiViews -Indexes Includes FollowSymLinks

    <IfModule mod_access.c>

      Order allow,deny

      Allow from all

    </IfModule>

</Directory>

<Directory /home/jail/home/*/public_html/cgi-bin>

     Options +ExecCGI -Includes -Indexes

     SetHandler cgi-script

</Directory>

<IfModule mod_perl.c>

    <Directory /home/jail/home/*/public_html/perl>

        SetHandler perl-script

        PerlResponseHandler ModPerl::PerlRun

        Options -Indexes ExecCGI

   <IfDefine MODPERL2>

     PerlOptions +ParseHeaders

   </IfDefine>

   <IfDefine !MODPERL2>

          PerlSendHeader On

   </IfDefine>

    </Directory>

</IfModule>

<Directory /var/www/localhost/icons>

    Options -Indexes MultiViews

    AllowOverride None

    <IfModule mod_access.c>

      Order allow,deny

      Allow from all

    </IfModule>

</Directory>

<Directory /usr/share/doc>

    <IfModule mod_deflate.c>

      AddOutputFilterByType DEFLATE text/html

    </IfModule>

    Options Indexes FollowSymLinks

    <IfModule mod_access.c>

      Order deny,allow

      Deny from all

      Allow from 127.0.0.1

      #allow from .your_domain.com

    </IfModule>

</Directory>

<Location /index.shtml>

    Options +Includes

</Location>

<IfModule mod_perl.c>

    PerlModule Apache2::ModPerl::Registry

    <Location  "^/perl/*.pl>

        SetHandler perl-script

   <IfDefine MODPERL2>

        PerlResponseHandler Apache2::ModPerl::Registry

   </IfDefine>

   <IfDefine !MODPERL2>

        PerlResponseHandler ModPerl::Registry

   </IfDefine>

        Options -Indexes ExecCGI

        PerlSendHeader On

    </Location>

    <Location /cgi-perl/*.pl>

        SetHandler perl-script

        PerlResponseHandler ModPerl::PerlRun

        Options -Indexes ExecCGI

        PerlSendHeader On

    </Location>

</IfModule>

<IfModule mod_alias.c>

AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/var/www/localhost/htdocs/manual/$1"

</IfModule>

<Directory "/var/www/localhost/htdocs/manual">

    Options Indexes

    AllowOverride None

    Order allow,deny

    Allow from all

    <Files *.html>

        SetHandler type-map

    </Files>

    SetEnvIf Request_URI ^/manual/de/ prefer-language=de

    SetEnvIf Request_URI ^/manual/en/ prefer-language=en

    SetEnvIf Request_URI ^/manual/fr/ prefer-language=fr

    SetEnvIf Request_URI ^/manual/ja/ prefer-language=ja

    SetEnvIf Request_URI ^/manual/ko/ prefer-language=ko

    SetEnvIf Request_URI ^/manual/ru/ prefer-language=ru

    RedirectMatch 301 ^/manual(?:/(de|en|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2

</Directory>

```

Commented as much irrelevant stuff ap.

Hope you can give me some hints, or @least something.

Ever got it to work yourself?

-- Lucas

----------

## j-m

Just a quick glance - this does not seem correct. 

```

<Directory /home/jail/home*/public_html> 

```

----------

## Acidgen

sorry for the typo in the config above, since i had to do some editing. there is a /home/jail/home/*/ instead of the typ ofcouse.

Alot of  editing to do  :Very Happy: 

----------

## j-m

Also, I cannot see DocumentRoot set anywhere...

----------

## Acidgen

DocumentRoot is almost the first thing in the config  :Very Happy: 

Topline Thou IRL (my server) its not commented  :Very Happy: 

It works if i  "ln -s /home/jail/home/JAILEDUSER/public_html /var/www/localhost/htdocs

and do a

http://myserver/public_html

For example that is...

-- lucas

----------

## j-m

 *Acidgen wrote:*   

> DocumentRoot is almost the first thing in the config 
> 
> Topline Thou IRL (my server) its not commented 
> 
> 

 

Please we cannot help you like this. Remove the typos or better paste it as-it-is, I am just wasting my time.  :Sad:  Two errors found, two cut´n´paste typos you say.

 *Acidgen wrote:*   

> 
> 
> It works if i "ln -s /home/jail/home/JAILEDUSER/public_html /var/www/localhost/htdocs
> 
> 

 

That means that you have DocumentRoot (re)defined in another configuration file.

----------

## Acidgen

Problem solved.

Not in apache config, thou in the users $homedir pointing to /home/jail in the jailed env.

--Lucas

----------

## j-m

 *Acidgen wrote:*   

> Problem solved.
> 
> Not in apache config, thou in the users $homedir pointing to /home/jail in the jailed env.
> 
> 

 

Could you clarify this? It does not make sense, you said

 *Acidgen wrote:*   

> 
> 
> I have got apache2 outside of a jail
> 
> 

 

in your first post. So are you saying that Apache wants the chrooted paths, not normal ones?  :Confused:   :Question: 

----------

## Acidgen

The thing is; 

I want my services in the main system outside of the chroot jail.

and users can put webpages in their  /var/chroot/home/USER/public_html

and it will be displayed by Apache2 (apache2 binarys which reside outside of the jail) so; 

 instead of /home/*/public_html as in normal cases,  it uses the  /var/chroot/home/*/public_html.

Users are locked out and cannot touch or see the apache conf nor anything that has to do with a webserver.

Still one problem thou, apache works fine.

BUT i also have vsftp outside of the jail, and i want vsftp to keep them in their chrooted-home dir.  but vsftp uses the /etc/passwd file

for pointing to the users homedir,  wich in this case is handled by /usr/sbin/jail program and a bogus home.  Ill show you   :Wink: 

```
todde:x:1003:100::/var/jail/users:/usr/bin/jail
```

                                      (BOGUS HOME) (JAIL PRG)

As above taken from the passwd you c that i have a chroot jail in /var/jail/users

which also happens to be user "todde"'s home dir. the "REAL" home is handled by /usr/bin/jail which reads the

/var/jail/users/etc/passwd, where the real userhome is pointed.

Then you say...  why dont you change YOUR passwd so that it instead of 

```
todde:x:1003:100::/var/jail/users:/usr/bin/jail
```

uses

```
todde:x:1003:100::/var/jail/users/home/todde:/usr/bin/jail
```

Well THEN when the users tried to connect , it says that;

```
jail: chrooted directory /var/jail/users/home/user3 is not configuredfor jail (bad passwd file); bailing out.
```

I hope you can understand, and that its not all that cryptic  :Very Happy: 

-- Lucas

----------

