Running Apache in chroot jail

PDF
Running Apache chrooted and configured right Apache and it's child processes (php, cgi scripts) cann't access anything above the ChrootDir if running as a non-root user. You can easily setup an Apache chroot jail using mod_chroot. You should keep in mind that you never create special device files, suid binaries and hardlinks with the chroot directories and do not run apache, php or perl as root.

 

How to setup Apache in a chroot jail?

In this how-to I assume you already have apache installed on your system.

Setup Apache's jail directory

Create a directory and it's subdirectories for Apache's jail;

mkdir /apachejail
mkdir -p /apachejail/var/run
mkdir -p /apachejail/home/httpd
mkdir -p /apachejail/var/www/html
mkdir -p /apachejail/tmp
chmod 1777 /apachejail/tmp
mkdir -p /apachejail/var/lib/php/session
chown -R root.root /apachejail/var/run
chown root.apache /apachejail/var/lib/php/session

Edit /etc/php.ini;

Find the line:

session.save_path = "/var/lib/php/session"

replace with:

session.save_path = "/apachejail/var/lib/php/session"

Download and install mod_chroot

As far as I know there is no mod_chroot rpm available for CentOS/RedHat

Download the latest source from http://core.segfault.pl/~hobbit/mod_chroot/dist/, and unpack the source. At the time of this writing version 0.5 is the most recent package.

cd /tmp
wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar -zxvf mod_chroot-0.5.tar.gz

go to the source directory, compile and install mod_chroot using apxs

cd mod_chroot-0.5
apxs -cia mod_chroot.c

Edit httpd.conf for using mod_chroot

Edit /etc/httpd/conf/httpd.conf, find the line:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Add the line:

ChrootDir /apachejail

Find the line:

ServerRoot "/etc/httpd"

And add:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

Disable Apache SELinux Protection

Edit /etc/selinux/targeted/booleans change or add the value for httpd_disable_trans to

httpd_disable_trans=1

Enter the following command:

setsebool httpd_disable_trans 1

Edit apache's startup script

Edit /etc/init.d/httpd

Find the lines:

stop() {
echo -n $"Stopping $prog: "

and change it to:

stop() {
/bin/ln -s /apachejail/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
In this how-to I asume you already have apache installed on your system.

Setup Apache's jail directory

Create a directory and it's subdirectories for Apache's jail;

mkdir /apachejail
mkdir -p /apachejail/var/run
mkdir -p /apachejail/home/httpd
mkdir -p /apachejail/var/www/html
mkdir -p /apachejail/tmp
chmod 1777 /apachejail/tmp
mkdir -p /apachejail/var/lib/php/session
chown -R root.root /apachejail/var/run
chown root.apache /apachejail/var/lib/php/session

Edit /etc/php.ini;

Find the line:

session.save_path = "/var/lib/php/session"

replace with:

session.save_path = "/apachejail/var/lib/php/session"

Download and install mod_chroot

As far as I know there is no mod_chroot rpm available for CentOS/RedHat

Download the latest source from http://core.segfault.pl/~hobbit/mod_chroot/dist/, and unpack the source. At the time of this writing version 0.5 is the most recent package.

cd /tmp
wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar -zxvf mod_chroot-0.5.tar.gz

go to the source directory, compile and install mod_chroot using apxs

cd mod_chroot-0.5
apxs -cia mod_chroot.c

Edit httpd.conf for using mod_chroot

Edit /etc/httpd/conf/httpd.conf, find the line:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Add the line:

ChrootDir /apachejail

Find the line:

ServerRoot "/etc/httpd"

And add:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

Disable Apache SELinux Protection

Edit /etc/selinux/targeted/booleans change or add the value for httpd_disable_trans to

httpd_disable_trans=1

Enter the following command:

setsebool httpd_disable_trans 1

Edit apache's startup script

Edit /etc/init.d/httpd

Find the lines:

stop() {
echo -n $"Stopping $prog: "

and change it to:

stop() {
/bin/ln -s /apachejail/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
 

Please login first before adding a comment.

Search






You are here: Home Howtos and FAQs Apache Running Apache in chroot jail