Index syndication
comment syndication

chpasswd in an OpenBSD apache chroot jail

October 19, 2007 at 10:37 · Filed under apps, openbsd, unix

I’ve recently re-installed OpenBSD and had to set-up my squid intranet password changing tool again. The app I use is chpasswd Version 2.2.3.

I had some trouble with getting it working in the default apache chroot jail, and found very little information out there on this app in a chroot jail. Here are my notes I recorded and and steps I took. Hope it helps someone else, but YMMV:

Download chpasswd to /tmp

cd /tmp
tar -zxvf chpasswd-2.2.3.tar.gz
cd chpasswd-2.2.3
./configure --enable-cgidir=/var/www/cgi-bin/ --prefix=/etc
make && make install
make clean

Setup apache for CGI running in the chroot jail

mkdir /var/www/etc
mkdir /var/www/tmp
mkdir -p /var/www/var/tmp
chmod 777 /var/www/tmp
chmod 777 /var/www/var/tmp
mv /etc/chpasswd* /var/www/etc/

Check which libs are compiled against chpasswd

ldd /var/www/cgi-bin/chpasswd.cgi

Output should be similar to the following:

Start End Type Ref Name
00000000 00000000 exe 1 /var/www/cgi-bin/chpasswd.cgi
03d1e000 23d4f000 rlib 1 /usr/lib/
09e55000 09e55000 rtld 1 /usr/libexec/

Copy the libs that chpasswd.cgi uses, shown from the ldd output, to the jail

mkdir -p /var/www/usr/lib
mkdir -p /var/www/usr/libexec
cp /usr/lib/ /var/www/usr/lib/
cp /usr/libexec/ /var/www/usr/libexec/

Update chpasswd configuration:

cd /var/www/etc
vi chpasswd.conf
vi ipauth

Create squid passwd file for chpasswd to update in chroot jail

mkdir /var/www/etc/squid
touch /var/www/etc/squid/passwd
chown root:www /var/www/etc/squid/passwd
chmod 660 /var/www/etc/squid/passwd

Update/Modify the auth_param section of squid.conf to use new passwd file and basic authentication (must already have ncsa_auth in place and working)

vi /etc/squid/squid.conf

auth_param basic program /usr/local/squid/libexec/ncsa_auth /var/www/etc/squid/passwd
auth_param basic children 5
auth_param basic realm Home Localnet to Internet access
auth_param basic credentialsttl 2 hours

Restart squid

squid -k reconfigure

Your app should now be usable at http://<your.squidserver>/cgi-bin/chpasswd.cgi

Leave a Comment