Moveable Type on a ChRooted Server

April 17th, 2003 | jchaager | technology

This afternoon, I finally got Moveable Type operating inside of the chroot jail that OpenBSD runs Apache in. Took some digging, and a lot of file copying, but it works now. I’ve decided to document what I did for anyone else who decides to head down this road. The biggest headache was getting all of the necessary libraries into the chroot jail. For those interested in running Moveable Type, or any other Perl CGI scripts, on such a system, here’s what you need.

OpenBSD installs the apache configuration, documents, and logs into /var/www. Apache is then run chrooted into this directory, so the first step is to setup the necessary directories. A lot of the work that needs to be done needs to be done as root, so be careful of typos as you don’t want to wipe out your existing installation.

Change into the Apache chroot directory:
cd /var/www
Create the necessary directories to allow Perl to runmkdir -p usr/bin mkdir -p usr/lib mkdir -p usr/libexec mkdir -p usr/libdata mkdir -p etc
Link the standard bin/ directory to our new usr/bin directory ln -s usr/bin bin
Copy the executables into our new usr/bin directory cp /usr/bin/perl usr/bin
Now we need to copy the libraries needed by the Perl executable. These libraries can be verified by running ldd on the perl executable: ldd /usr/bin/perl On my system, it lists 4 dependent libraries which we copy into the new usr/lib
cp /usr/lib/libperl.so.6.1 usr/lib cp /usr/lib/libc.so.28.5 usr/lib cp /usr/lib/libm.so.0.1 usr/lib cp /usr/lib/libutil.so.7.1 usr/lib
Now we need to copy the loader into the usr/libexec directory cp /usr/libexec/ld.so usr/libexec
Finally, we need to copy all the Perl “stuff” into the libdata directory so our Perl scripts can find them. cp -R /usr/libdata/perl5 usr/libdata
Copy a few necessary support files into the etc/ directory cp /etc/services etc cp /etc/protocols etc
That is the extent of the files that need to be copied. In the cgi-bin/ directory, there are some sample scripts you can use for testing. chmod 755 cgi-bin/printenv Now, load up that script in your web browser, and see if it works. If it does, you’re good to go. If not, check to make sure all of the files were copied into the correct locations. Once you have verified that Perl is working properly, remember to disable the test script chmod 000 cgi-bin/printenv

Configuring Moveable Type is straight forward per the instructions. The only changes are that the DataSource setting in the configuration file and the Blog Paths in the Weblog Configruations must be set relative to the Apache directory. In other words, if your DataSource directory is at /var/www/mtdata, you should enter /mtdata as your DataSource location.

I do not know what, if any, security implications this has, but if you can spot any, please be sure to let me know.

8 Responses to “Moveable Type on a ChRooted Server”

Cameron Says:
April 22nd, 2003 at 9:21 am
Gee … sounds harder than it should be. I did not think setting up a FreeBSD server was that complicated - and should be quite well documented since MT does not use anything that is not on a standard web server (perl configured of course). Are you settings, security concerns, etc impacting your choice in how / where you installed the Apache server ?
John Says:
April 22nd, 2003 at 1:52 pm
First off, it’s not FreeBSD, it’s OpenBSD. So, from the security point of view, they chroot’ed Apache and included nothing in it. From a security POV, that’s great. From a practical POV, it makes life difficult.

Once I found instructions of everything I needed to include, it was easy. It’s just the searching that takes a while.
John Says:
April 22nd, 2003 at 2:35 pm
The one piece I haven’t gotten working yet is pinging the blog trackers. I’m getting errors about being unable to resolve the server names and I’m not sure what libraries need to be added to the chroot.
Dan Rochman Says:
August 17th, 2003 at 12:00 am
THANK YOU so much for taking the time to post this. I’m making the move from Win2k/IIS to OBSD3.3/Apache, and was dreading having to try and figure out how to get MT to run chrooted. You have obviously spared me that headache, and will save me several hours of search time.
NOW for two questions, if I may:
1. Do you have any open/unresolved issues running MT since your update?
2. What about Gallery? I run it, and it seems you do, too. It was enough of a bear to get it to work on Windows/IIS - how was it getting that to run chrooted (assuming that you are running it chrooted)?

Thanks again - you rule.
-danR
Paul Says:
August 28th, 2003 at 7:03 pm
Thanks sooo much for taking the time to post this! this is a tremendous amount of work and i appreciate you taking the time to document it so well. Rock on!
mef Says:
November 25th, 2003 at 3:44 am
I must join the others in thanking you for publishing your work on getting Moveable Type working. I’d missed moving the libraries in.

Like yourself, I’m trying to make my installation as secure as possible. Nessus is a hard taskmaster though
urf Says:
December 27th, 2003 at 11:19 am
Any ideas why I’d get this error when trying to start mt-load?

Loading initial data into system…

An error occurred while loading data:

Connection error: Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2)

And/or do you have any suggestions on how to figure out what the correct path to my db would be? I’m on paid host and my db doesn’t show up in myhome folder.
tcon Says:
March 28th, 2004 at 11:05 am
Another “how-to” has recently been released, but using PostgresSQL. It seems pretty emcompassing.

http://www.creepingfur.org/projects/tutorials/chbsdindex.html