[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: problem chroot-ing apache2 in debian 3.1

I  do not know what is causing this, but I do know that the program makejail does the chrooting automatically for you. Maybe you would like to have a look at it.

For Apache you problably only have to do:

mkdir "your chroot directory specified in /usr/share/doc/makejail/examples/apache.py"

makejail /usr/share/doc/makejail/examples/apache.py

This is from my /usr/share/doc/makejail/examples/apache.py:

testCommandsInsideJail=["/usr/local/apache2/bin/apachectl start"]

# Eventually append here the commands which access some services
# such as cgi or php scripts, database access, ...
testCommandsOutsideJail=["wget -r --spider http://localhost/",
                                                 "lynx --source https://localhost/"]


If you want a better way to secure your server you should take a look at for example grsecurity, lids and selinux.

2006/4/14, Gezim Hoxha <gezimetc@shaw.ca>:
Hey all.

I've got a problem chrooting apache2 in sarge.

Here is the problem:
I followed the linux.com tutorial on chrooting apache
( http://www.linux.com/article.pl?sid=04/05/24/1450203) but at the end
when I get to start apache it doesn't work:

#/etc/init.d/apache2 start
Starting apache: chroot: cannot run command `/usr/sbin/apache2ctl': No
such file or directory

I know that I have both the normal root /usr/sbin/apache2ctl and the
chroot directory one /chroot/httpd/usr/sbin/apache2ctl.

So, I hope someone can help me out.


P.S.: During this attempt I tried to create some documentation for the
future, so this might help as to where I might have gone wrong:

1.) If "apache" group or something similar ( e.g. www-data) to run apache
doesn't exit, add one with "groupadd apache".
2.) If "apache" user or something similar (e.g www-data) to run apache
doesn't exist, add one with:
        "useradd -c "Apache Server" -d /dev/null -g apache -s \
         /bin/false apache"
3.) Now create the directory structure:
mkdir /chroot
mkdir /chroot/httpd/
mkdir /chroot/httpd/dev/
mkdir /chroot/httpd/lib/
mkdir /chroot/httpd/etc
mkdir -p /chroot/httpd/usr/sbin/
mkdir /chroot/httpd/usr/lib
mkdir /chroot/httpd/usr/libexec
mkdir -p /chroot/httpd/var/run
mkdir -p /chroot/httpd/var/log/apache
mkdir -p /chroot/httpd/home/httpd

Now fix the permissions:
chown -R root /chroot/httpd/
chmod -R 0755 /chroot/httpd
chmod 750 /chroot/httpd/var/log/apache

Now create special devices such as /dev/null:

mknod /chroot/httpd/dev/null c 1 3
chown root.sys /chroot/httpd/dev/null
chmod 666 /chroot/httpd/dev/null

4.) Copy the configuartion files:
cp -r /etc/apache2/ /chroot/httpd/etc

5.) Copy Apache DocumentRoot and CGI scripts:
cp -r /var/www/ /chroot/httpd/var/

6.) Copy httpd binary (and, if you use them, the Apache scripts)
from /usr/sbin:

cp /usr/sbin/apache2* /chroot/httpd/usr/sbin/

7.) If you need to use mod_ssl copy the /etc/ssl directory and its

8.) Run "ldd /chroot/httpd/usr/sbin/apache2" to find out what libraries
apache needs and copy them too.

8.5) Certain libraries are needed for some standard networking
cp /lib/libnss_compat* /chroot/httpd/lib/
cp /lib/libnss_dns* /chroot/httpd/lib/
cp /lib/libnss_files* /chroot/httpd/lib/
cp /lib/libnsl* /chroot/httpd/lib/

9.) Copy passwd and group files:
cp /etc/passwd /chroot/httpd/etc/
cp /etc/group /chroot/httpd/etc/

10.) Remove all users from /chroot/httpd/etc/passwd execpt www-data.
11.) Remove all groups from /chroot/httpd/etc/group except www-data.

12.) Copy needed network configuration files:

cp /etc/hosts/ /chroot/httpd/etc/
cp /etc/host.conf /chroot/httpd/etc/
cp /etc/resolv.conf /chroot/httpd/etc/
cp /etc/nsswitch.conf /chroot/httpd/etc/

13.) For extra security set the immutable bit on for above files:
chattr +i /chroot/httpd/etc/hosts
chattr +i /chroot/httpd/etc/host.conf
chattr +i /chroot/httpd/etc/resolv.conf
chattr +i /chroot/httpd/etc/nsswitch.conf
chattr +i /chroot/httpd/etc/passwd
chattr +i /chroot/httpd/etc/group

14.) Copy the appropriate localtime to to /chroot/httpd/etc/localtime:
cp /usr/share/zoneinfo/Canada/Mountain /chroot/httpd/etc/localtime

15.) In /etc/init.d/syslogd change
SYSLOGD="-m 0 -a /chroot/httpd/dev/log"

16.) Create necessary log files and set the appendable bit on them:
touch /chroot/httpd/var/log/apache/access_log
touch /chroot/httpd/var/log/apache/error_log
chmod 600 /chroot/httpd/var/log/apache/*
chattr +a /chroot/httpd/var/log/apache/*

17.) In /etc/init.d/apache2 change:
APACHE2="$ENV /usr/sbin/apache2"
APACHE2CTL="$ENV /usr/sbin/apache2ctl"


APACHE2="$ENV /usr/sbin/chroot /chroot/httpd/ /usr/sbin/apache2"
APACHE2CTL="$ENV /usr/sbin/chroot /chroot/httpd/ /usr/sbin/apache2ctl"

18.) Test it by shutting down the apache2ctl (if not done so already).
Restart the syslogd by:
/etc/init.d/syslogd restart
then start the chrooted version of apache:
....no wokring!

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: