problem chroot-ing apache2 in debian 3.1
Hi all.
I'm new to Debian. I did try to find a solution on google and the
archives of this mailing list. neither worked.
Here is the problem:
I followed the linux.com tutorial on chrooting apache
(http://www.linux.com/article.pl?sid=04/05/24/1450203) but at the end
when I get to start apache it doesn't work:
#/etc/init.d/apache2 start
Starting apache: chroot: cannot run command `/usr/sbin/apache2ctl': No
such file or directory
I know that I have both the normal root /usr/sbin/apache2ctl and the
chroot directory one /chroot/httpd/usr/sbin/apache2ctl.
So, I hope someone can help me out.
Thanks,
-Gezim
P.S.: During this attempt I tried to create some documentation for the
future, so this might help as to where I might have gone wrong:
CHROOTING APACHE (debian 3.1)
----------------
1.) If "apache" group or something similar (e.g. www-data) to run apache
doesn't exit, add one with "groupadd apache".
2.) If "apache" user or something similar (e.g www-data) to run apache
doesn't exist, add one with:
"useradd -c "Apache Server" -d /dev/null -g apache -s \
/bin/false apache"
3.) Now create the directory structure:
mkdir /chroot
mkdir /chroot/httpd/
mkdir /chroot/httpd/dev/
mkdir /chroot/httpd/lib/
mkdir /chroot/httpd/etc
mkdir -p /chroot/httpd/usr/sbin/
mkdir /chroot/httpd/usr/lib
mkdir /chroot/httpd/usr/libexec
mkdir -p /chroot/httpd/var/run
mkdir -p /chroot/httpd/var/log/apache
mkdir -p /chroot/httpd/home/httpd
Now fix the permissions:
chown -R root /chroot/httpd/
chmod -R 0755 /chroot/httpd
chmod 750 /chroot/httpd/var/log/apache
Now create special devices such as /dev/null:
mknod /chroot/httpd/dev/null c 1 3
chown root.sys /chroot/httpd/dev/null
chmod 666 /chroot/httpd/dev/null
4.) Copy the configuartion files:
cp -r /etc/apache2/ /chroot/httpd/etc
5.) Copy Apache DocumentRoot and CGI scripts:
cp -r /var/www/ /chroot/httpd/var/
6.) Copy httpd binary (and, if you use them, the Apache scripts)
from /usr/sbin:
cp /usr/sbin/apache2* /chroot/httpd/usr/sbin/
7.) If you need to use mod_ssl copy the /etc/ssl directory and its
contents.
8.) Run "ldd /chroot/httpd/usr/sbin/apache2" to find out what libraries
apache needs and copy them too.
8.5) Certain libraries are needed for some standard networking
functionaliy:
cp /lib/libnss_compat* /chroot/httpd/lib/
cp /lib/libnss_dns* /chroot/httpd/lib/
cp /lib/libnss_files* /chroot/httpd/lib/
cp /lib/libnsl* /chroot/httpd/lib/
9.) Copy passwd and group files:
cp /etc/passwd /chroot/httpd/etc/
cp /etc/group /chroot/httpd/etc/
10.) Remove all users from /chroot/httpd/etc/passwd execpt www-data.
11.) Remove all groups from /chroot/httpd/etc/group except www-data.
12.) Copy needed network configuration files:
cp /etc/hosts/ /chroot/httpd/etc/
cp /etc/host.conf /chroot/httpd/etc/
cp /etc/resolv.conf /chroot/httpd/etc/
cp /etc/nsswitch.conf /chroot/httpd/etc/
13.) For extra security set the immutable bit on for above files:
chattr +i /chroot/httpd/etc/hosts
chattr +i /chroot/httpd/etc/host.conf
chattr +i /chroot/httpd/etc/resolv.conf
chattr +i /chroot/httpd/etc/nsswitch.conf
chattr +i /chroot/httpd/etc/passwd
chattr +i /chroot/httpd/etc/group
14.) Copy the appropriate localtime to to /chroot/httpd/etc/localtime:
cp /usr/share/zoneinfo/Canada/Mountain /chroot/httpd/etc/localtime
15.) In /etc/init.d/syslogd change
SYSLOGD=""
to
SYSLOGD="-m 0 -a /chroot/httpd/dev/log"
16.) Create necessary log files and set the appendable bit on them:
touch /chroot/httpd/var/log/apache/access_log
touch /chroot/httpd/var/log/apache/error_log
chmod 600 /chroot/httpd/var/log/apache/*
chattr +a /chroot/httpd/var/log/apache/*
17.) In /etc/init.d/apache2 change:
APACHE2="$ENV /usr/sbin/apache2"
APACHE2CTL="$ENV /usr/sbin/apache2ctl"
to
APACHE2="$ENV /usr/sbin/chroot /chroot/httpd/ /usr/sbin/apache2"
APACHE2CTL="$ENV /usr/sbin/chroot /chroot/httpd/ /usr/sbin/apache2ctl"
18.) Test it by shutting down the apache2ctl (if not done so already).
Restart the syslogd by:
/etc/init.d/syslogd restart
then start the chrooted version of apache:
....no wokring!
Reply to: