Home arrow Apache arrow Putting Apache in Jail

Putting Apache in Jail

In this conclusion to a six-part series on Apache configuration and installation, you will learn how to use chroot to put Apache in jail, how to prepare PHP to work in jail, and more. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. Putting Apache in Jail
  2. Finishing touches for Apache jail preparation
  3. Preparing PHP to work in jail
  4. Taking care of small jail problems
  5. Using mod_security or mod_chroot
By: O'Reilly Media
Rating: starstarstarstarstar / 2
January 31, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Using chroot to Put Apache in Jail

Now that you know the basics of using chroot to put a process in jail and you are familiar with tools required to facilitate the process, we can take the steps required to put Apache in jail. Start by creating a new home for Apache and move the version installed (shown in the “Installation Instructions” section) to the new location:

  # mkdir -p /chroot/apache/usr/local
  # mv /usr/local/apache /chroot/apache/usr/ local
  # ln
 -s /chroot/apache/usr/local/apache / usr/local/apache
  # mkdir -p /chroot/apache/var
  # mv /var/www /chroot/apache/var/
  # ln
-s /chroot/apache/var/www /var/www

The symbolic link from the old location to the new one allows the web server to be used with or without being jailed as needed and allows for easy web server upgrades.

Like other programs, Apache depends on many shared libraries. The ldd tool gives their names (this ldd output comes from an Apache that has all default modules built-in statically):

  # ldd /chroot/apache/usr/local/apache/bin/httpd
 
      libm.so.6 => /lib/tls/libm.so.6 (0x005e7000)
       libcrypt.so.1 => /lib/libcrypt.so.1 (0x00623000)
       libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x00902000)
       libexpat.so.0 => /usr/lib/libexpat.so.0 (0x00930000)
       libdl.so.2 => /lib/libdl.so.2 (0x0060b000)
       libc.so.6 => /lib/tls/libc.so.6 (0x004ac000)
       /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000)

This is a long list; we make copies of these libraries in the jail:

  # mkdir /chroot/apache/lib
 
# cp /lib/tls/libm.so.6 /chroot/apache/lib
 
# cp /lib/libcrypt.so.1 /chroot/apache/lib
 
# cp /usr/lib/libgdbm.so.2 /chroot/apache/lib
 
# cp /usr/lib/libexpat.so.0 /chroot/apache/lib
 
# cp /lib/libdl.so.2 /chroot/apache/lib
 
# cp /lib/tls/libc.so.6 /chroot/apache/lib
 
#
cp /lib/ld-linux.so.2 /chroot/apache/lib

Putting user, group, and name resolution files in jail

Though the httpd user exists on the system (you created it as part of the installation earlier); there is nothing about this user in the jail. The jail must contain the basic user authentication facilities:

  # mkdir /chroot/apache/etc
  # cp /etc/nsswitch.conf /chroot/apache/etc/
  # cp /lib/libnss_files.so.2 /chroot/apache/lib

The jail user database needs to contain at least one user and one group. Use the same name as before and use the identical user and group numbers inside and outside the jail. The filesystem stores user and group numbers to keep track of ownership. It is a job of the ls binary to get the usernames from the user list and show them on the screen. If there is one user list on the system and another in the jail with different user numbers, directory listings will not make much sense.

  # echo "httpd:x:500:500:Apache:/:/sbin/nologin" > /chroot/apache/etc/passwd
  # echo "httpd:x:500:" > /chroot/apache/etc/group

At this point, Apache is almost ready to run and would run and serve pages happily. A few more files are needed to enable domain name resolution:

  # cp /lib/libnss_dns.so.2 /chroot/apache/lib
 
# cp /etc/hosts /chroot/apache/etc
 
#
cp /etc/resolv.conf /chroot/apache/etc



 
 
>>> More Apache Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: