Firewall Handbuch für LINUX 2.0 und 2.2 - zurück
Firewall Handbuch für LINUX 2.0 und 2.2 - zurück
Firewall Handbuch für LINUX 2.0 und 2.2 - zurück
Erfolgreiche ePaper selbst erstellen
Machen Sie aus Ihren PDF Publikationen ein blätterbares Flipbook mit unserer einzigartigen Google optimierten e-Paper Software.
This might be important if you cannot live without your tree. Don't laugh<br />
--if all of your colleagues' documentation lives there, then, well, you<br />
can't live without it. Sometimes documentation really IS important.<br />
Before you start you have to decide if this is a do-able task. If your<br />
entire tree can live on one file system, then this may be for you. But if<br />
links and cgi-Skripts reach out across filesystems and nodes and people's<br />
home directories (in this 'automounted' or 'afs-ed' world), then this<br />
probably isn't your cup of tea. You have to know your web tree really well<br />
first. In particular, take a close look at your cgi-Skripts and all Skripts<br />
and utilities called by your cgi-Skripts before you start.<br />
We use the CERN http daemon, and our web site is served by an HP running<br />
9.05 HP-UX and NIS (but it is not an NIS server). This information is<br />
necessarily HP-specific, but it should generalize. It took me a couple of<br />
afternoons of work to produce a working web tree.<br />
So these are the steps I followed to chroot a LIVE web tree. It wasn't as<br />
painful as I thought it would be, but it requires a bit of work if you want<br />
to provide a high level of functionality.<br />
In the following steps I have assumed:<br />
the web tree owner is: www<br />
living in group: webgroup<br />
I have also assumed that the new web root is at: /wtree<br />
Create a tree in a NEW web root and give it the appropriate ownership. If<br />
only one account edits files in the web tree, then your are set. If multiple<br />
user accounts update files, then presumably you could have a special group<br />
for web updating, and have people 'newgrp' to this group. Thus:<br />
chown -R www:webgroup /wtree<br />
chmod -R 755 /wtree (or 775 if 'webgroup' needs write permission)<br />
You might also choose to create some kind of a 'home' directory structure<br />
(see http://hoohoo.ncsa.uiuc.edu/docs/tutorials/chroot.html)<br />
**From this point you work as user 'www'<br />
Create the skeleton tree in the new web root. You will probably need:<br />
bin, etc, tmp, dev, lib<br />
You have to decide whether you are going to put sharable libraries in your<br />
web tree. I decided to NOT do this (though in the end I put one library<br />
there). If I was to do this all over again, I probably wouldn't have opted<br />
for only staticly-linked versions. At the time I was worried about<br />
'duplicating' my file system in the web tree.<br />
If you decide to put sharable libraries in the tree, then you have to figure<br />
out which ones. This might not be easy! Anyway, you should copy a useful set<br />
of utilities to your /wtree/bin directory, and copy any necessary libraries<br />
to /wtree/lib or /wtree/usr/lib.<br />
Note: the 'useful set of utilities' is necessary if you use cgi Skripts in<br />
your web tree. Therefore which ones you need will depend on which utilities<br />
are referenced by your cgi-Skripts.<br />
If you do as I did and opt for staticly-linked versions, then the easiest<br />
thing is to get a bunch of GNU file utilities and compile them staticly, so<br />
that you don't need shared libraries. These utilities are available in these<br />
GNU files sets:<br />
(bash, binutils, diffutils, find, gawk, grep, sed, textutils)<br />
Only install what you will use; for example, don't install 'df' unless you<br />
want to try to provide it with the 'mount table'. This is an example set of<br />
Erstellt von Doc Gonzo - http://kickme.to/plugins