Gallery in a Chroot on Linux

So you’ve decided that you want to run gallery in your new chrooted apache install. Well, you’re in for a bitter bitter treat. It seams as though the php exec command requires that /bin/sh exists?!? Here’s how I got there.

Tried the gd option. Even though it checked out ok in the tests it just didn’t work. I didn’t track down why yet. Pages just wouldn’t load with this toolkit selected.

Next, I tried both ImageMagick and NetPBM. There are multiple executables to both systems. NetPBM has about 50 of them. I used this shortcut to copy the executables over.
rpm -ql netpbm-progs | grep bin`; do ln $i /var/www/usr/bin/`basename $i`; done

That command took all of the binaries from the netpbm-progs package and put them into my chroot. Later, I ran the ldd command against the binaries to figure out which library files were required. After finding out that netpbm relies on perl, I excluded that toolkit from the running and focused on getting ImageMagick to work.
About this time, I discovered that gallery has a debug option under config.php. I wish I’d looked there sooner :(.  This actually led me astray.  The error the debug was showing was “file not found”. However, I didn’t know which file wasn’t found (the input file, the output file, /bin/sh, /usr/bin/convert).
Another thing that I ran into was ImageMagick’s reliance on the magick.mgk file. Be sure to copy that to the chroot.

ln /var/www/usr/lib/ImageMagick-6.0.7/config/magic.mgk /usr/lib/ImageMagick-6.0.7/config/magic.mgk.
Thanks to having the debugging turned on, I was able to see the actual commands that gallery was running. The issue was that I could run those commands in the chroot, but gallery wouldn’t run them correctly. I looked through mod_security to see if I wasn’t allowing executables to run, and eventually turned filtering off. Still, it just didn’t work.

Here is an example of running a command in the chroot: chroot /var/www /usr/bin/convert -size 200×200 -geometry 200×200 /html/lynema/gallery2/modules/imagemagick/data/test.gif /html/lynema/gallery2/g2data/tmp/imgk_ZvjJHr
The final piece of the puzzle was moving over /bin/sh to the chroot. This sucks. I don’t like this mostly because of security reasons. Now a hacker has access to a shell to help them crack the site. The site is still chrooted, but I’m not entirely happy with the result.

Time spent on this was about 8 hours. AKA way too long.

Related posts:

Tags: ,