I am a learn-as-you-go-along programmer and a newbie to Linux and I could really use some advice. I am SO close to getting my new server running with Imagemagick. I just need pointed in the right direction.
For years I have run a Apache2 website under Windows with a lot of art. I wrote a binary cgi (placed in the cgi-bin) that builds a nice gallery out of found images and calls "convert.exe" whenever it sees that a thumbnail needs to be made. This homemade use of Imagemagick has worked like a champ for years.
However this year I've seen a huge increase in hack attempts. So I decided to switch my server over to Ubuntu. I'm in completely new waters. I've configured Ubuntu's Apache2 to run each Vhosts as their own linux user/group, chmod each folder so only there user has access, and chrooted /var/www just for good measure. I didn't want a bunch of libraries so I compiled Imagemagick as a static (convert is a 9 meg file). Apache & PHP runs as their own users and even my own binary scripts recompiled on Linux run fine from the cgi-bin.
I can run this "convert" from the command line fine. However, if my binary script from Apache2 cgi-bin tries to call convert (within the chroot) I get a Doserror: 8 back from convert which I assume means apache2 is not giving convert enough memory?? Or could this be a compile error with some library missing due to chroot?
To get this far I've been reading for months but I'm stumped ATM. Is there a way to tell Apache2 to give Imagemagick more memory via being run from "cgi-bin"(it didn't seem to be an issue under win32 Apache2)? Or is there a way to tell if I need to add a missing library inside the chroot?
Thanks for any help/advice! I really need some right now.
WS
Apache2 or Imagemagick problem??
-
anthony
- Posts: 8883
- Joined: 2004-05-31T19:27:03-07:00
- Authentication code: 8675308
- Location: Brisbane, Australia
Re: Apache2 or Imagemagick problem??
Check the server logs, and expecially the error log for precisely way you get the error.
convert requires access to libraries, coder modules, and other configuration files defining colors, external delegate commands, etc etc etc.
A UNIX chroot environment is a jail, and only things in that jail is accessable. As such running anthing in that jail must have access to everything that it needs in that same jail. That is everything given above.
As you only chroot /usr/www everything IM needs must be within that directory structure. That incluses and user files and images, as well as commands, libraries etc.
FTP Deamon chroot gets around this by having the ftp load all its needed libraries first then internally it chroot's so that it is then restricted to the desired directory, to limit file access. The key is that it already has everything it needs already open and thus accessable, before restricting itself to that sub-directory for anything else.
You may like to have a look at SE linux instead of chroot. It is complex, but provides extra kernal level protection about what process can access what things. For example only user files marked as being publically available via the web is accessable to the web server!
convert requires access to libraries, coder modules, and other configuration files defining colors, external delegate commands, etc etc etc.
A UNIX chroot environment is a jail, and only things in that jail is accessable. As such running anthing in that jail must have access to everything that it needs in that same jail. That is everything given above.
As you only chroot /usr/www everything IM needs must be within that directory structure. That incluses and user files and images, as well as commands, libraries etc.
FTP Deamon chroot gets around this by having the ftp load all its needed libraries first then internally it chroot's so that it is then restricted to the desired directory, to limit file access. The key is that it already has everything it needs already open and thus accessable, before restricting itself to that sub-directory for anything else.
You may like to have a look at SE linux instead of chroot. It is complex, but provides extra kernal level protection about what process can access what things. For example only user files marked as being publically available via the web is accessable to the web server!
Anthony Thyssen -- Webmaster for ImageMagick Example Pages
https://imagemagick.org/Usage/
https://imagemagick.org/Usage/
-
WhiteShepherd
Re: Apache2 or Imagemagick problem??
Apache does not give me any error (but it's running my program that runs and exits properly). My program however get's a DOSERROR 8 from Imagemagick.
I compiled Imagemagick with ./configure --disable-shared --enable-delegate-build
What other files do I need besides "convert". Can anyone tell me what other files/directory-tree are needed under Ubuntu? If not is there a way I can find out what I need?
A suggestion to the developers: There are a lot of us web admins who try to use Imagemagick under chmod. Perhaps in the download include a file like "chmod.txt" that explains installing imagemagick under a chmod (static and regular)? It would help us a LOT.
Gene
I compiled Imagemagick with ./configure --disable-shared --enable-delegate-build
What other files do I need besides "convert". Can anyone tell me what other files/directory-tree are needed under Ubuntu? If not is there a way I can find out what I need?
A suggestion to the developers: There are a lot of us web admins who try to use Imagemagick under chmod. Perhaps in the download include a file like "chmod.txt" that explains installing imagemagick under a chmod (static and regular)? It would help us a LOT.
Gene
-
WhiteShepherd
Re: Apache2 or Imagemagick problem??
I am still without a fix for this problem. 
Does anyone run Imagemagick with Apache in a chroot jail?
I have tested and can execute imagemagick "convert" just fine from inside the chroot using the "chroot" command. However when Apache2 cgi process calls the program it quits with a doserror 8. I again suspect Apache2 is not giving Imagemagick enough memory?
Anyone with experience on this?
Does anyone run Imagemagick with Apache in a chroot jail?I have tested and can execute imagemagick "convert" just fine from inside the chroot using the "chroot" command. However when Apache2 cgi process calls the program it quits with a doserror 8. I again suspect Apache2 is not giving Imagemagick enough memory?
Anyone with experience on this?