Home arrow Apache arrow Page 3 - Putting Apache in Jail

Preparing PHP to work in jail - Apache

In this conclusion to a six-part series on Apache configuration and installation, you will learn how to use chroot to put Apache in jail, how to prepare PHP to work in jail, and more. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Putting Apache in Jail
  2. Finishing touches for Apache jail preparation
  3. Preparing PHP to work in jail
  4. Taking care of small jail problems
  5. Using mod_security or mod_chroot
By: O'Reilly Media
Rating: starstarstarstarstar / 2
January 31, 2008

print this article



To make PHP work in jail, you should install it as normal. Establish a list of shared libraries required and copy them into the jail: 

  # ldd /chroot/apache/usr/local/apache/ libexec/libphp4.so
libcrypt.so.1 => /lib/libcrypt.so.1 (0x006ef000)
       libresolv.so.2 => /lib/libresolv.so.2 (0x00b28000)
       libm.so.6 => /lib/tls/libm.so.6 (0x00111000)
       libdl.so.2 => /lib/libdl.so.2 (0x00472000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00f67000)
libc.so.6 => /lib/tls/libc.so.6 (0x001df000)
       /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000)

Some of the libraries are already in the jail, so skip them and copy the remaining libraries (shown in bold in the previous output):

  # cp /lib/libresolv.so.2 /chroot/apache/lib
cp /lib/libnsl.so.1 /chroot/apache/lib

One problem you may encounter with a jailed PHP is that scripts will not be able to send email because the sendmail binary is missing. To solve this, change the PHP configuration to make it send email using the SMTP protocol (to localhost or some other SMTP server). Place the following in the php.ini configuration file:

  SMTP = localhost

Preparing Perl to work in jail

To make Perl work, copy the files into the jail:

  # cp -dpR /usr/lib/perl5 /chroot/apache/usr/lib
# mkdir /chroot/apache/bin
cp /usr/bin/perl /chroot/apache/bin

Determine the missing libraries:

  # ldd /chroot/apache/bin/perl 
           libperl.so => /usr/lib/perl5/5.8.1/i386-linux-thread-multi
/CORE/libperl.so (0x0067b000)
           libnsl.so.1 => /lib/libnsl.so.1 (0x00664000)
           libdl.so.2 => /lib/libdl.so.2 (0x0060b000)
           libm.so.6 => /lib/tls/libm.so.6 (0x005e7000)
           libcrypt.so.1 => /lib/libcrypt.so.1 (0x00623000)
          libutil.so.1 => /lib/libutil.so.1 (0x00868000)
          libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00652000) 
           libc.so.6 => /lib/tls/libc.so.6 (0x004ac000)
           /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000)

Then add them to the libraries that are inside:

  # cp /lib/libutil.so.1 /chroot/apache/lib
cp /lib/tls/libpthread.so.0 /chroot/ apache/lib

>>> More Apache Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: