Home arrow Apache arrow Page 4 - Containing Intrusions in Apache

Using strace to see inside processes - Apache

In this fifth part to a six-part series on installing and configuring Apache, you will learn, among other things, how to put Apache in jail. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Containing Intrusions in Apache
  2. Putting Apache in Jail
  3. Tools of the chroot Trade
  4. Using strace to see inside processes
By: O'Reilly Media
Rating: starstarstarstarstar / 5
January 24, 2008

print this article



The strace tool (truss on systems other than Linux) intercepts and records system calls that are made by a process. It gives much insight into how programs work, without access to the source code. Using chroot and ldd, you will be able to get programs to run inside jail, but you will need strace to figure out why they fail when they fail without an error message, or if the error message does not indicate the real cause of the problem. For that reason, you will often need strace inside the jail itself. (Remember to remove it afterwards.)

Using strace you will find that many innocent looking binaries do a lot of work before they start. If you want to experiment, I suggest you write a simple program such as this one:

  #include <stdarg.h>
#include <stdarg.h>

  int main(void) {
      puts("Hello world!");

Compile it once with a shared system support and once without it:

  # gcc helloworld.c -o helloworld.shared
  # gcc helloworld.c -o helloworld.static -static

Using strace on the static version gives the following output:

  # strace ./helloworld.static
  execve("./helloworld.static", ["./helloworld.static"], [/* 22 vars */]) = 0
uname({sys="Linux", node="ben", ...})  = 0
  brk(0)                                 = 0x958b000
  brk(0x95ac000)                         = 0x95ac000
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
  old_mmap(NULL, 4096, PROT_READ|PROT_WRITE,
  MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xbf51a000
  write(1, "Hello world!\n", 13Hello world!
  )          = 13
  munmap(0xbf51a000, 4096)               = 0

The strace output is ugly. Each line in the output represents a system call made from the process. It is not important at the moment what each line contains. Jailed binaries most often fail because they cannot open a file. If that happens, one of the lines near the end of the output will show the name of the file the binary attempted to access:

  open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT
  (No such file or directory)

As an exercise, use strace on the dynamically compiled version of the program and compare the two outputs. You will see how many shared libraries are accessed even from a small program such as this one.

Please check back next week for the conclusion to this article.

>>> More Apache Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: