Problems chrooting Apache-ssl 1.3.26 under Debian Woody

To: debian-security@lists.debian.org
Subject: Problems chrooting Apache-ssl 1.3.26 under Debian Woody
From: Jason Paulson <jepaulson@bannerengineering.com>
Date: Wed, 28 Jan 2004 10:21:03 -0600
Message-id: <[🔎] OF75452844.1E271B16-ON86256E29.005806EC-86256E29.0059DE24@baneng.com>

I am trying to chroot the apache-ssl process (from the apache-ssl package) version 1.3.26 using Debian Woody as the environment.

but when I execute:
chroot /chroot/apache-ssl /usr/sbin/apache-ssl
I ge the following error:
apache-ssl: bad user name www-data

Which is something I didn't expect.
My chroot directory is /chroot/apache-ssl/
and there exists a /chroot/apache-ssl/etc/passwd file that has both a www-data entry and a nobody entry.
Like so:
www-data:x:33:33:www-data:/var/www:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
Which I thought would be sufficent to avoid a problem like this.
but just to make sure there are also passwd-, group, group-, gshadow, gshadow-, shadow, and shadow- files that have a similar reduced number of entries.

Is there something I am missing?

Thanks,
Jason

I am including my log of steps taken during the chroot process. If you want more information please contact me. Thanks for any help or insight you can provide.

apache-ssl:

apt-get install apache-ssl

Country: US
State: Minnesota
Locality: Minneapolis
Organization: [censored]
Unit: Web Services
Server Name: [censored]
Email: [censored]
Set ServerName in /etc/apache-ssl/httpd.conf
Disable all but the following modules:

LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so

LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so

LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so

LoadModule status_module /usr/lib/apache/1.3/mod_status.so

LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so

LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so

LoadModule access_module /usr/lib/apache/1.3/mod_access.so

LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so

LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so

Set ServerSignature to Off.
Disable Icon Alias and ScriptAlias
CHRoot Server:

mkdir /chroot/apache-ssl

mkdir dev

mkdir etc

mkdir var

mkdir lib

mkdir var/run

mkdir -p usr/lib

mkdir usr/lib/apache-ssl

mkdir usr/lib/apache-ssl/1.3

mkdir -p usr/libexec

mkdir -p var/www

mkdir -p var/log/apache-ssl

mkdir -p etc/apache-ssl

mkdir -p usr/sbin

ls -al /dev/null

mknod /chroot/apache-ssl/dev/null c 1 3 (1 3 from major/minor from ls -al)

chown root:sys /chroot/apache-ssl/dev/null

chmod 666 /chroot/apache-ssl/dev/null

Change /etc/init.d/sysklogd

SYSLOGD="-r -a /chroot/apache-ssl/dev/log"

We need the following binaries:

cp /usr/sbin/apache-ssl /chroot/apache-ssl/usr/sbin/

cp /usr/lib/apache-ssl/suexec /chroot/apache-ssl/usr/lib/apache-ssl/suexec

We need the following libraries:

cp /lib/libm.so.6 /chroot/apache-ssl/lib/libm.so.6

cp /lib/libcrypt.so.1 /chroot/apache-ssl/lib/

cp /lib/libdb.so.2 /chroot/apache-ssl/lib/

cp /lib/libdb2.so.2 /chroot/apache-ssl/lib/

cp /usr/lib/libexpat.so.1 /chroot/apache-ssl/usr/lib/

cp /lib/libd1.so.2 /chroot/apache-ssl/lib/

cp /lib/libdl.so.2 /chroot/apache-ssl/lib/

cp /usr/lib/libssl.so.0.9.6 /chroot/apache-ssl/usr/lib/

cp /usr/lib/libcrypto.so.0.9.6 /chroot/apache-ssl/usr/lib/

cp /lib/libc.so.6 /chroot/apache-ssl/lib/

cp /lib/ld-linux.so.2 /chroot/apache-ssl/lib/

cp /lib/ld-2.2.5.so /chroot/apache-ssl/lib/

cp /usr/lib/apache/1.3/mod_log_config_ssl.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_mime_ssl.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_negotiation.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_status.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_dir.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_userdir.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_access.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/mod_auth_ssl.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /usr/lib/apache/1.3/libssl.so /chroot/apache-ssl/usr/lib/apache/1.3/

cp /lib/libnss_compat-2.2.5.so /chroot/apache-ssl/lib/

cp /lib/libnsl-2.2.5.so /chroot/apache-ssl/lib/

We need the following files:

cp /etc/hosts /chroot/apache-ssl/etc/

cp /etc/host.conf /chroot/apache-ssl/etc/

cp /etc/resolv.conf /chroot/apache-ssl/etc/

cp /etc/group /chroot/apache-ssl/etc/

cp /etc/group- /chroot/apache-ssl/etc/

cp /etc/gshadow /chroot/apache-ssl/etc/

cp /etc/gshadow- /chroot/apache-ssl/etc/

cp /etc/passwd /chroot/apache-ssl/etc/

cp /etc/passwd- /chroot/apache-ssl/etc/

cp /etc/shadow /chroot/apache-ssl/etc/

cp /etc/shadow- /chroot/apache-ssl/etc/

cp /etc/apache-ssl/mime.types /chroot/apache-ssl/etc/apache-ssl/

cp /etc/apache-ssl/httpd.conf /chroot/apache-ssl/etc/apache-ssl/

echo "working..." > /chroot/apache-ssl/var/www/index.html
Remove all but www-data and nobody from passwd, shadow, and group
start chrooted server:

chroot /chroot/apache-ssl /usr/sbin/apache-ssl

Replace in /etc/logrotate.d/apache-ssl /var/log/apache-ssl/*.log with /var/chroot/apache-ssl/var/log/apache-ssl/*.log

Reply to:

Prev by Date: Re: Hardening named.conf
Next by Date: Re: Hardening named.conf
Previous by thread: Re: Hardening named.conf
Next by thread: Bug#230063: openwebmail security hole
Index(es):
- Date
- Thread