Mailing List Archive: Sandboxed directory

Sandboxed directory

drentsoft at gmail

Nov 6, 2012, 4:10 AM

Post #1 of 7 (2670 views)

Hi all,

I've just setup my Raspberry Pi running Cherokee through a No-IP host. It's
working great but I have a friend who's interested in learning a bit of web
development and I thought I'd give him some space on my Pi to play around
with. What I want is for him to have his own subdirectory that he can mess
around in but that won't affect the rest of my server if he does something
wrong. I've given his user no permissions outside of his directory except
for an SSH login.

I was wondering if it's possible to do this:

the default virtual server is hosted from /home/pi/www
I've set him up a user at /home/james with his own /www folder.

I then want for example [host].no-ip.org served from /home/pi/www

and [host].no-ip.org/james where the document root is served from
/home/james/www

I've tried two possible solutions but both have their own problems.

First I tied using a new directory rule within the default virtual server
which pointed /james to the document root /home/james/www. I also added a
second PHP extension rule. This works with html files but php files try to
download rather than get served.
If I change the rule priority so his php rule is on top and final then his
index.php is served at [host].no-ip.org but none of the other files in his
directory are accessible (returning 404) and in /james the files return a
405. I can still access my non-index.php files in my directory.

The second thing I tried was setting up at least one virtual server with
nickname [host].no-ip.org/james but with this setup everything returns 404.

*To summarise I want [host].no-ip.org to serve from /home/pi/www and [host].
no-ip.org/james to serve from /home/james/www both with PHP support.
*
Has anyone got any suggestions for making this work?

Thanks,

Derwent

Re: Sandboxed directory [ In reply to ]

stefan at konink

Nov 6, 2012, 5:58 AM

Post #2 of 7 (2606 views)

On 11/06/12 13:10, Derwent Ready wrote:
> If I change the rule priority so his php rule is on top and final then
> his index.php is served at [host].no-ip.org <http://no-ip.org> but none
> of the other files in his directory are accessible (returning 404) and
> in /james the files return a 405. I can still access my non-index.php
> files in my directory.

The general PHP configuration in Cherokee:

- PHP should be on top, as extension php
- Match should be non-final.

Anything below that such as a list & send with a different docroot, or
default rule will profit from this.

Stefan
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Re: Sandboxed directory [ In reply to ]

drentsoft at gmail

Nov 6, 2012, 8:33 AM

Post #3 of 7 (2605 views)

Thanks Stefan,

Should both the /home/pi/www and /home/james/www extension php rules be
next to each other?

This is what I have so far.
http://www.drentsoft.com/images/cherokeepi/rules.html It works except for
the /james PHP files being served as downloads rather than displayed. I
tried your suggestion of using just one general php rule with no doc root
specified but that didn't work either.

On 6 November 2012 13:58, Stefan de Konink <stefan@konink.de> wrote:

> On 11/06/12 13:10, Derwent Ready wrote:
> > If I change the rule priority so his php rule is on top and final then
> > his index.php is served at [host].no-ip.org <http://no-ip.org> but none
> > of the other files in his directory are accessible (returning 404) and
> > in /james the files return a 405. I can still access my non-index.php
> > files in my directory.
>
> The general PHP configuration in Cherokee:
>
> - PHP should be on top, as extension php
> - Match should be non-final.
>
> Anything below that such as a list & send with a different docroot, or
> default rule will profit from this.
>
>
> Stefan
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>

Re: Sandboxed directory [ In reply to ]

jo.becker at gmail

Nov 6, 2012, 8:41 AM

Post #4 of 7 (2600 views)

Why not just symlink that directory into your normal doc root as "james" with appropriate permissions? Then you don't even have to fiddle with fancy Cherokee settings as it won't even know the difference?
Johannes

Am 06.11.2012 um 17:33 schrieb Derwent Ready <drentsoft@gmail.com>:

> Thanks Stefan,
>
> Should both the /home/pi/www and /home/james/www extension php rules be next to each other?
>
> This is what I have so far. http://www.drentsoft.com/images/cherokeepi/rules.html It works except for the /james PHP files being served as downloads rather than displayed. I tried your suggestion of using just one general php rule with no doc root specified but that didn't work either.
>
> On 6 November 2012 13:58, Stefan de Konink <stefan@konink.de> wrote:
>> On 11/06/12 13:10, Derwent Ready wrote:
>> > If I change the rule priority so his php rule is on top and final then
>> > his index.php is served at [host].no-ip.org <http://no-ip.org> but none
>> > of the other files in his directory are accessible (returning 404) and
>> > in /james the files return a 405. I can still access my non-index.php
>> > files in my directory.
>>
>> The general PHP configuration in Cherokee:
>>
>> - PHP should be on top, as extension php
>> - Match should be non-final.
>>
>> Anything below that such as a list & send with a different docroot, or
>> default rule will profit from this.
>>
>>
>> Stefan
>> _______________________________________________
>> Cherokee mailing list
>> Cherokee@lists.octality.com
>> http://lists.octality.com/listinfo/cherokee
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee

Re: Sandboxed directory [ In reply to ]

drentsoft at gmail

Nov 6, 2012, 8:44 AM

Post #5 of 7 (2596 views)

Ah that's a good idea, I'll give that a try, thanks.

On 6 November 2012 16:41, Johannes Becker <jo.becker@gmail.com> wrote:

> Why not just symlink that directory into your normal doc root as "james"
> with appropriate permissions? Then you don't even have to fiddle with fancy
> Cherokee settings as it won't even know the difference?
> Johannes
>
> Am 06.11.2012 um 17:33 schrieb Derwent Ready <drentsoft@gmail.com>:
>
> Thanks Stefan,
>
> Should both the /home/pi/www and /home/james/www extension php rules be
> next to each other?
>
> This is what I have so far.
> http://www.drentsoft.com/images/cherokeepi/rules.html It works except for
> the /james PHP files being served as downloads rather than displayed. I
> tried your suggestion of using just one general php rule with no doc root
> specified but that didn't work either.
>
> On 6 November 2012 13:58, Stefan de Konink <stefan@konink.de> wrote:
>
>> On 11/06/12 13:10, Derwent Ready wrote:
>> > If I change the rule priority so his php rule is on top and final then
>> > his index.php is served at [host].no-ip.org <http://no-ip.org> but none
>> > of the other files in his directory are accessible (returning 404) and
>> > in /james the files return a 405. I can still access my non-index.php
>> > files in my directory.
>>
>> The general PHP configuration in Cherokee:
>>
>> - PHP should be on top, as extension php
>> - Match should be non-final.
>>
>> Anything below that such as a list & send with a different docroot, or
>> default rule will profit from this.
>>
>>
>> Stefan
>> _______________________________________________
>> Cherokee mailing list
>> Cherokee@lists.octality.com
>> http://lists.octality.com/listinfo/cherokee
>>
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>
>

Re: Sandboxed directory [ In reply to ]

drentsoft at gmail

Nov 6, 2012, 8:49 AM

Post #6 of 7 (2597 views)

That worked perfectly! Thanks!

On 6 November 2012 16:41, Johannes Becker <jo.becker@gmail.com> wrote:

> Why not just symlink that directory into your normal doc root as "james"
> with appropriate permissions? Then you don't even have to fiddle with fancy
> Cherokee settings as it won't even know the difference?
> Johannes
>
> Am 06.11.2012 um 17:33 schrieb Derwent Ready <drentsoft@gmail.com>:
>
> Thanks Stefan,
>
> Should both the /home/pi/www and /home/james/www extension php rules be
> next to each other?
>
> This is what I have so far.
> http://www.drentsoft.com/images/cherokeepi/rules.html It works except for
> the /james PHP files being served as downloads rather than displayed. I
> tried your suggestion of using just one general php rule with no doc root
> specified but that didn't work either.
>
> On 6 November 2012 13:58, Stefan de Konink <stefan@konink.de> wrote:
>
>> On 11/06/12 13:10, Derwent Ready wrote:
>> > If I change the rule priority so his php rule is on top and final then
>> > his index.php is served at [host].no-ip.org <http://no-ip.org> but none
>> > of the other files in his directory are accessible (returning 404) and
>> > in /james the files return a 405. I can still access my non-index.php
>> > files in my directory.
>>
>> The general PHP configuration in Cherokee:
>>
>> - PHP should be on top, as extension php
>> - Match should be non-final.
>>
>> Anything below that such as a list & send with a different docroot, or
>> default rule will profit from this.
>>
>>
>> Stefan
>> _______________________________________________
>> Cherokee mailing list
>> Cherokee@lists.octality.com
>> http://lists.octality.com/listinfo/cherokee
>>
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>
>

Re: Sandboxed directory [ In reply to ]

jo.becker at gmail

Nov 6, 2012, 9:08 AM

Post #7 of 7 (2596 views)

Glad I could help :)
Just make sure files inside your friend's directory are always readable by the web server. If James creates files on his own to which Cherokee doesn't have sufficient permissions, he's gonna be confused and frustrated...

Von meinem iPhone gesendet

Am 06.11.2012 um 17:49 schrieb Derwent Ready <drentsoft@gmail.com>:

> That worked perfectly! Thanks!
>
> On 6 November 2012 16:41, Johannes Becker <jo.becker@gmail.com> wrote:
>> Why not just symlink that directory into your normal doc root as "james" with appropriate permissions? Then you don't even have to fiddle with fancy Cherokee settings as it won't even know the difference?
>> Johannes
>>
>> Am 06.11.2012 um 17:33 schrieb Derwent Ready <drentsoft@gmail.com>:
>>
>>> Thanks Stefan,
>>>
>>> Should both the /home/pi/www and /home/james/www extension php rules be next to each other?
>>>
>>> This is what I have so far. http://www.drentsoft.com/images/cherokeepi/rules.html It works except for the /james PHP files being served as downloads rather than displayed. I tried your suggestion of using just one general php rule with no doc root specified but that didn't work either.
>>>
>>> On 6 November 2012 13:58, Stefan de Konink <stefan@konink.de> wrote:
>>>> On 11/06/12 13:10, Derwent Ready wrote:
>>>> > If I change the rule priority so his php rule is on top and final then
>>>> > his index.php is served at [host].no-ip.org <http://no-ip.org> but none
>>>> > of the other files in his directory are accessible (returning 404) and
>>>> > in /james the files return a 405. I can still access my non-index.php
>>>> > files in my directory.
>>>>
>>>> The general PHP configuration in Cherokee:
>>>>
>>>> - PHP should be on top, as extension php
>>>> - Match should be non-final.
>>>>
>>>> Anything below that such as a list & send with a different docroot, or
>>>> default rule will profit from this.
>>>>
>>>>
>>>> Stefan
>>>> _______________________________________________
>>>> Cherokee mailing list
>>>> Cherokee@lists.octality.com
>>>> http://lists.octality.com/listinfo/cherokee
>>>
>>> _______________________________________________
>>> Cherokee mailing list
>>> Cherokee@lists.octality.com
>>> http://lists.octality.com/listinfo/cherokee
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee