Nfs – OpenBSD Apache configuration: NFS mount

apache-2.2chrootnfsopenbsd

I have a NFS mount at /mnt/web/ on OpenBSD 5.2.

How can I mount this so it's accessible to the web?

Currently I'm soft linking it to /var/www/web

ln -s /mnt/web /var/www/web

I've added an alias directive in the apache config like so:

Alias /web/ "/var/www/web/"


    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

The ownership shows that everyone should have read and execute. What am I doing wrong?
Apache says:

Not Found The requested URL /web was not found on this server.

Is it possible that OpenBSD's default chroot'd apache configuration doesn't allow this?

Additional Info:
I was able to access the NFS share when linked to the /var/www/users directory and apache configured with the "UserDir" option.

UPDATE
It works when Apache is run without chroot enabled …so, my next question: How can I get this to work within chroot?

UPDATE
I changed the mount location and mount options and now it works [ see my answer below ]. But I'd like advice on optimal permissions. These are static files only. Who should own these files?

Best Answer

I believe that your alias might be wrong, check out the documentation for the apache website for the difference between an alias such as "/web" and an alias "/web/".

Related Solutions

Apache2 Permission denied: access to / denied

Remove:

Options FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from all

Bash – OpenBSD 6.0 chrooted httpd with php 7.0 mail() works, but no mail goes out

I believe this to be solved in one of two ways:

(1) You CAN solve this by installing an executable shell in the chroot so that the sendmail binary can run. If you do, even if you install it in a wrapper, you have increased the surface area for an attack and you may as well just drop the chroot. Wrappers can be re-wrapped and all you need to do is perform a restart and your system is cracked. My vote is not to do that.

(2) The best option is to abandon mail and use SMTP directly through a socket - pretty much the same way that PHP and the webserver itself are already operating. There is no shell on the chroot and all you are doing is installing more php code and letting that code open a socket on the localhost to port 25 where your MTA is already listening and passing through to the outside world but not executing any arbitrary code.

Here is how that works:

Install Pear if it is not already installed and then install the mail scripts. You can do this easily like this:

pkg_add install Pear
pear install Mail_smtp
pear install Net_SMTP

Depending upon your system - the first pear install may do the second one for you as a dependency.

From there I added a php function in its own php program:

<?php
/**
 * Sends an email using SMTP directly rather than using the sendmail binary (which requires
 * a shell environment to run).  This allows the chrooted server to run with less exposure.
*/
require_once "Mail.php";

function SMTP_mail($recipients, $subjectHeader, $message, $fromHeader)
{
    $headers['From']    = $fromHeader;
    $headers['Subject'] = $subjectHeader;

    $smtpinfo["host"] = "localhost";
    $smtpinfo["port"] = "25";
    $smtpinfo["auth"] = false;

    // Create the mail object using the Mail::factory method
    $mail_object = Mail::factory("smtp", $smtpinfo);

    $mail_object->send($recipients, $headers, $message);
}

All that was left to do was to go through the code I was migrating and convert the mail instructions to use this function instead:

SMTP_mail($sendToEmailAddr, $subjectLine, $messageBody, 'From: Support@domain.com (Domain.com Robot)');

If you have not already done so, the ability to send mail outside the chroot should already be working. The important but for us here is in the /etc/mail/smtp.conf file:

listen on lo0

# Since we are only listening on the lo0 (local) we can safely use
# commands that are "accept from any" or bare "accept" commands.

# accept from any for domain "example.org" alias <aliases> deliver to mbox
accept for local alias <aliases> deliver to mbox

# accept from the lo0 (local) interface anything and relay it out
accept for any relay

# This was the original command - use it if you ever open up
# the external interface by doing a "listen on any" rather than
# the above command - that will keep us from being an open relay:
#accept from local for any relay

Give that a nice reboot and it should just work - given that you have the same setup I did in my question. PHP will open an SMTP connection over the localhost in the chroot to the localhost outside the chroot, send the email that you programmed it to send, and close the connection. OpenBSD's mailer.conf will make sure that the "real" sendmail (smtpctl) gets it and routes it to the outside world based upon the MX entry in the DNS of the mailhost for that email address. You will want to be sure that SMTP is running by setting smtpd_flags in your /etc/rc.conf.local system file.

All run by demons and as safe as your program code. I hope this helps!

Best Answer

Related Solutions

Apache2 Permission denied: access to / denied

Bash – OpenBSD 6.0 chrooted httpd with php 7.0 mail() works, but no mail goes out

Related Topic