Re: Chroot and name resolution with PHP

David Fletcher wrote:
> Hi,
> 
> I'm using mod_security-1.8.3, with Apache httpd-2.0.50 and PHP 4.3.7 on
> Slackware linux.
> 
> In one of my PHP scripts I use the fsockopen function, which requires a
> name (e.g www.example.com) to be resolved. This works fine if I do not use
> the chroot capabilities of mod_security. However, with the chroot running,
> I get errors like 
> 
> Warning: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name
> or service not known
> 
> Adding these files to the chroot gets rid of the problem:
> 
> /chroot/apache/lib/libnss_dns.so.2
> /chroot/apache/libnss_files.so.2
> /chroot/apache/libresolv.so.2
> /chroot/apache/etc/resolv.conf
> 
> Everything else in the chroot work really well using mod_security, without
> having to find all the libraries and put them in the chroot. That's what I
> really like about mod_security!
> 
> Is there some way to avoid the need to put these name resolution libraries
> in the chroot?

  I don't think so. PHP probably initializes its library only after
  chroot takes place so the files do have to be there for it to
  work.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com