OpenBSD has been my server operating system of choice for some time now. It has a slim profile without the bloat of unneeded features and drivers that characterize most current Linux distributions. It's also known for enhanced security. While I wouldn't really consider it an "enhanced" unix, it has been designed to enforce best practices by default.
One aspect of this is that the Apache webserver is chroot jailed. This means that Apache sees /var/www as the top level directory and cannot see anything that exists outside of that particular directory tree. If you're hosting more than static html (which we all are), this can cause trouble when your scripting language (PHP/Perl/etc) needs to access another service, such as Sendmail or MySQL. You just need to configure those services to work within the security confines you've set by installing OpenBSD.
Here is one way of configuring your services so you can send mail from Apache via PHP. As always, there's more than one way to do it, and it never hurts to learn several.
First, make sure that you have set the $PKG_PATH variable correctly so that you can install packages cleanly and easily from the location of your choice (CD, FTP, etc). Now add the mini_sendmail package:
# pkg_add mini_sendmail-chroot-1.3.5
Next, create the path for sendmail within your chroot jail:
One aspect of this is that the Apache webserver is chroot jailed. This means that Apache sees /var/www as the top level directory and cannot see anything that exists outside of that particular directory tree. If you're hosting more than static html (which we all are), this can cause trouble when your scripting language (PHP/Perl/etc) needs to access another service, such as Sendmail or MySQL. You just need to configure those services to work within the security confines you've set by installing OpenBSD.
Here is one way of configuring your services so you can send mail from Apache via PHP. As always, there's more than one way to do it, and it never hurts to learn several.
First, make sure that you have set the $PKG_PATH variable correctly so that you can install packages cleanly and easily from the location of your choice (CD, FTP, etc). Now add the mini_sendmail package:
# pkg_add mini_sendmail-chroot-1.3.5
Next, create the path for sendmail within your chroot jail:
# mkdir -p /var/www/usr/sbin/
Now, create a link from the mini_sendmail binary to the location PHP will expect:
# ln /var/www/bin/mini_sendmail /var/www/usr/sbin/sendmail
Finally, you're going to need to create a shell instance within the chroot jail. This does add a security risk, as the Apache user now has access to a shell binary, but the user still has it's own inherent limitations. It would be much safer to send mail via a TCP socket, but I'm hosting a fair amount of legacy code that would need to be modified for that environment; I don't have a lot of choice until the code is updated. You should look at both methods and your own code base then make an informed decision.
#cp /bin/sh /var/www/bin
Note that this is a copy instead of a link. A hard link is impossible since it would cross volumes (in OpenBSD, /var is a seperate volume than / by default). Also, you should be performing these tasks via sudo rather than in a root shell, but it's easier to illustrate this way.
Now, create a link from the mini_sendmail binary to the location PHP will expect:
# ln /var/www/bin/mini_sendmail /var/www/usr/sbin/sendmail
Finally, you're going to need to create a shell instance within the chroot jail. This does add a security risk, as the Apache user now has access to a shell binary, but the user still has it's own inherent limitations. It would be much safer to send mail via a TCP socket, but I'm hosting a fair amount of legacy code that would need to be modified for that environment; I don't have a lot of choice until the code is updated. You should look at both methods and your own code base then make an informed decision.
#cp /bin/sh /var/www/bin
Note that this is a copy instead of a link. A hard link is impossible since it would cross volumes (in OpenBSD, /var is a seperate volume than / by default). Also, you should be performing these tasks via sudo rather than in a root shell, but it's easier to illustrate this way.
Thank you very much for this article, it is seven years old, yet it saved me now again on my OBSD 5.3 server. Good piece of info, and very well explained.
Kolaloka
Posted by: Kolaloka | 09/17/2013 at 06:09 AM