Putting Apache in Jail

Using chroot to Put Apache in Jail

Now that you know the basics of using chroot to put a process in jail and you are familiar with tools required to facilitate the process, we can take the steps required to put Apache in jail. Start by creating a new home for Apache and move the version installed (shown in the “Installation Instructions” section) to the new location:

  # mkdir -p /chroot/apache/usr/local
  # mv /usr/local/apache /chroot/apache/usr/ local
  # ln
 -s /chroot/apache/usr/local/apache / usr/local/apache
  # mkdir -p /chroot/apache/var
  # mv /var/www /chroot/apache/var/
  # ln
-s /chroot/apache/var/www /var/www

The symbolic link from the old location to the new one allows the web server to be used with or without being jailed as needed and allows for easy web server upgrades.

Like other programs, Apache depends on many shared libraries. The ldd tool gives their names (this ldd output comes from an Apache that has all default modules built-in statically):

  # ldd /chroot/apache/usr/local/apache/bin/httpd
       libm.so.6 => /lib/tls/libm.so.6 (0x005e7000)
       libcrypt.so.1 => /lib/libcrypt.so.1 (0x00623000)
       libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x00902000)
       libexpat.so.0 => /usr/lib/libexpat.so.0 (0x00930000)
       libdl.so.2 => /lib/libdl.so.2 (0x0060b000)
       libc.so.6 => /lib/tls/libc.so.6 (0x004ac000)
       /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000)

This is a long list; we make copies of these libraries in the jail:

  # mkdir /chroot/apache/lib
  # cp /lib/tls/libm.so.6 /chroot/apache/lib
  # cp /lib/libcrypt.so.1 /chroot/apache/lib
  # cp /usr/lib/libgdbm.so.2 /chroot/apache/lib
  # cp /usr/lib/libexpat.so.0 /chroot/apache/lib
  # cp /lib/libdl.so.2 /chroot/apache/lib
  # cp /lib/tls/libc.so.6 /chroot/apache/lib
  # cp /lib/ld-linux.so.2 /chroot/apache/lib

Putting user, group, and name resolution files in jail

Though the httpd user exists on the system (you created it as part of the installation earlier); there is nothing about this user in the jail. The jail must contain the basic user authentication facilities:

  # mkdir /chroot/apache/etc
  # cp /etc/nsswitch.conf /chroot/apache/etc/
  # cp /lib/libnss_files.so.2 /chroot/apache/lib

The jail user database needs to contain at least one user and one group. Use the same name as before and use the identical user and group numbers inside and outside the jail. The filesystem stores user and group numbers to keep track of ownership. It is a job of the ls binary to get the usernames from the user list and show them on the screen. If there is one user list on the system and another in the jail with different user numbers, directory listings will not make much sense.

  # echo "httpd:x:500:500:Apache:/:/sbin/nologin" > /chroot/apache/etc/passwd
  # echo "httpd:x:500:" > /chroot/apache/etc/group

At this point, Apache is almost ready to run and would run and serve pages happily. A few more files are needed to enable domain name resolution:

  # cp /lib/libnss_dns.so.2 /chroot/apache/lib
  # cp /etc/hosts /chroot/apache/etc
  # cp /etc/resolv.conf /chroot/apache/etc