You are basically screwed with Postgres. You have to use TCP. Just grind your teeth and firewall port 5432, and you're in business.
There are a couple other issues: it helps to have AOLserver statically linked so that it can restart itself. That is, kicking AOLserver (losingly) requires running nsd, and unless all the shared libs are available in your chroot area, you won't be able to do this.
A more insidious problem is ACS's dependence on external programs, such as aolserver-errors.pl. I bet you really wanted to install Perl in your chroot area, huh?
My suggestions for improving the ease of chrooting:
- Make it possible to restart AOLserver internally, through Tcl, or at least by sending it a SIGHUP. (Maybe this is already possible, but if it is I don't understand why stuff like restart-aolserver exists.
- Rewrite all the external scripts as Tcl that's loaded by the ACS at startup. I may do aolserver-errors myself in the next few days.
I'd be interested to know if there's any support for making smooth chroot operation of OpenACS an official goal of the project. I think that good defaults have a lot to do with security (as an OpenBSD user you probably agree!), and I think it would be very winning if we got to the point where chroot worked well enough that, e.g., the documentation and installation instructions could assume a chroot installation as the default.
The hitch, of course, is that you have to be root to chroot(2). I've never understood why.
