Uncategorized

PHP’s fsockopen() in mod_chroot

unocode_pnz3cj

Currently, I’m working on a hardened server using mod_chroot, mod_security and the suhosin extension. I was installing an app that was using fsockopen to check for updates (it’s open source package). Everytime, I would check for updates, I would get an unexpected error displayed to me.

Hoping to find more information I took a look in the error_log. Unfortunately nothing was there. Following the PHP code path, I isolated the problem to the fsockopen()


$fp=@fsockopen($server, $port,$this->errno, $this->errstr, $timeout);

I took out the error suppression and received the following error:


Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/www/www.domain.net/htdocs/libraries/lib-xmlrpc.inc.php on line 1041

Warning: fsockopen() [function.fsockopen]: unable to connect to sync.openads.org:80 in /var/www/www.domain.net/htdocs/libraries/lib-xmlrpc.inc.php on line 1041

Currently, I’m working on a hardened server using mod_chroot, mod_security and the suhosin extension. I was installing an app that was using fsockopen to check for updates (it’s open source package). Everytime, I would check for updates, I would get an unexpected error displayed to me.

Hoping to find more information I took a look in the error_log. Unfortunately nothing was there. Following the PHP code path, I isolated the problem to the fsockopen()


$fp=@fsockopen($server, $port,$this->errno, $this->errstr, $timeout);

I took out the error suppression and received the following error:


Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/www/www.domain.net/htdocs/libraries/lib-xmlrpc.inc.php on line 1041

Warning: fsockopen() [function.fsockopen]: unable to connect to sync.openads.org:80 in /var/www/www.domain.net/htdocs/libraries/lib-xmlrpc.inc.php on line 1041

I wanted to verify that the problem is related to mod_chroot, so I removed that and restarted. Sure enough the update script worked. Now, I now this has to be a related to a library or something to do specifically with DNS (I hoped).

I do have /etc/hosts and resolv.conf in my jailed /etc, so was not sure where to look. When dealing with chroot two programs will be your best friend (ldd and strace). Strace will definitely show where things went bad in a hurry.

I stopped apache and restarted it with strace:

strace -o myout.file -fF apache2 -D DEFAULT_VHOST -D PHP4 -D SSL -D SSL_DEFAULT_VHOST -D SECURITY -D CHROOT

With strace/apache running, I hit the update script. As soon as it failed. I stop the strace and go through the file it created showing the output of apache. There is a ton of data, so search for the file name (update.php in my case). At that point, pay attention to ‘(No such file or directory) messages.


21584 open("/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
21584 open("/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
21584 open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

libnss_dns.so.2 sounds like something useful for DNS, and it was not in my jail. Adding that so file and restarting apache fixed the problem.

Hope this helps someone isolating chroot problems.

— UPDATE —
Just found some information on how to do this differently. You don’t need to copy libnss_dns.so.2 to the jail!

In /etc/apache2/modules.d/15_mod_chroot.conf add the following:


LoadFile /lib/libnss_dns.so.2

Before the LoadModule call.