[OpenBSDsupport]

Running News From A Chroot Jail. e107 and OpenBSD 3.5


Abstract
This article sets out to explain the steps necessary to run the e107 CMS software on an OpenBSD 3.5 machine running Apache 1.3.29. Not incredibly interesting you might say, well, OpenBSD's version of Apache is completely imprisoned inside a chroot jail and thus there might be some communication problems with both PHP and MySQL.

This document attempts to explain this process.


The whole *BSD family is well known for stability and security. OpenBSD 3.5 as one of its children claims to be "Secure by Default" since the development team puts an extreme amount of effort into hardening every piece of code. One of these practises is locking their base install of the Apache web server into a chroot jail. You can read more about this here.

What this means is that once the web server is started it only has access to files and directories inside of its jail. Nothing outside can be reached by lower privledged users (for instance the 'www' user which Apache runs as.)

This, of course, provides a great level of security since you can't "accidently" provide sensitive data to the world, such as "/etc/passwd" or similar things.

On the other hand, such restrictions make the installation of a powerful content management system, such as e107, a bit tricky. However, it can be done.

One note of interest, chroot isn't unique to OpenBSD, so many may find that this article will adopt to their systems as well.

so, what do we need to install e107 on openbsd?

  1. I. OpenBSD 3.5 (http://www.openbsd.org)
  2. II. e107 v0.615 (http://www.e107.org)

I. OpenBSD 3.5

Installing OpenBSD and configuring your web server is well documented in the Offical OpenBSD FAQ found here.

There are also some good books that can assist you with this process. Once your system is setup, it is time to install the necessary components to running e107.

Just use pkg_add to install the required packages. If you want to learn more about pkg_add (which is encouraged) read up in the man page (man pkg_add).

Here are the two packages to add:

  $> pkg_add -v mysql-server-4.0.18p1
  $> pkg_add -v php4-core-4.3.5RC3
(After installing the php4-core package you will seem some messages. Follow these.)
  $> pkg_add -v php4-mysql-4.3.5RC3
  $> /usr/local/sbin/phpxs -a mysql

The Apache web server is part of the default installation and should be on the system already.

Make sure you edit /etc/rc.conf.local to start httpd (the web server) by adding this line:
httpd_flags=""

You need to also make sure that the mysql database software is running and working. You can do this by either running top(1) or ps(1). You could also create a small php script to test the system. This will also tell you if the web server is working or not.

As already stated OpenBSD puts Apache in a chroot jail. The default base directory for that prison is:

/var/www

Everything that is provided with Apache _HAS_ to be under- neath that directory, or else you will find things not working so great. Even the log files are placed under this jail.

/var/www/log/access_log
/var/www/log/error_log

Apache stores its temporary files in:

/var/www/tmp

or if you wish to serve cgi pages then all needed libs must be placed in the chroot as if it's the real filesystem. From the point of the Apache it IS the real filesystem.

If everything is running correctly so far, and please make sure it is, we can proceed to step II.


II. e107

To install e107 is pretty straightforward. All you need to do is place it somewhere under your websites directory:

/var/www/htdocs/yoursite

and set the correct file permissions for the files. Make sure you read through the e107 docs, they will help a lot. Next step in a normal e107 install procedure would be to point your browser to:

http://host/yoursite

and go on with the webdriven installation. What? It isn't working? How can this be, you tested everything! Well that is the beautiful thing about running things in a chroot jail, there is always something that isn't located in the right location in the prison. Since Apache is locked away, it can't talk to the database software, MySQL. The default install doesn't automatically place MySQL inside Apache's jail. Currently is impossible for the two to even communicate. You need to move the communication file:

/var/run/mysql/mysql.sock

To make Apache happy we have to place this special file inside the jail. This can be done on startup using your handy rc.local file.


/etc/rc.local
if [ -x /usr/local/bin/mysqld_safe ]; then
    echo -n " mysqld"
    /usr/local/bin/mysqld_safe --user=_mysql --log=/var/log/mysqld
    sleep 4
    rm -f /var/www/var/run/mysql/mysql.sock
    ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi
NOTE: For more options that you can use with MySQL please see the documentation

We create a so called "hardlink" into the jail so Apache can see and use MySQL. Now you should be able to finish the installation of e107.

So, lets assume your shiney new site is running but has no content nor a single user yet. Since you could track the users with "cookies" and "sessions" you should know that, if indeed you decide to use the "session" method, it is absolutely necessary to:

#> chmod 777 /var/www/tmp

This will allow writing to the tmp directory inside the jail. If you chose not to do this e107 would have issues logging in and wouldn't provide any error messages (Not even the "incorrect password" error)

e107 offers the option to allow users to signup with email verifications. You will need to find something that can deliver that mail inside the chroot jail. One options is mini-sendmail in the ports system of OpenBSD.


We'll leave that process up to you, happy serving

akira (http://darkshed.net)
Asenchi (http://www.asenchi.com)