Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Chrooting Apache2
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
ka0ttic
Retired Dev
Retired Dev


Joined: 23 Oct 2003
Posts: 46
Location: Ormond Beach, FL

PostPosted: Sat May 08, 2004 10:14 pm    Post subject: [HOWTO] Chrooting Apache2 Reply with quote

[HOWTO] Chrooting Apache2

UPDATE: Thanks go to David Stanek for converting the document to the same format as Gentoo's documents.

Some folks on the gentoo-web-user mailing list requested this, but I figured I'd release it to the masses too :P

It is available at http://butsugenjitemple.org/~ka0ttic/docs/apache_chroot/.

Please try it out and give feedback so that I may improve the document.
Back to top
View user's profile Send private message
mli
n00b
n00b


Joined: 24 Jul 2004
Posts: 18
Location: Finland

PostPosted: Sat Jul 24, 2004 12:24 pm    Post subject: Reply with quote

Thanks for a great howto, I got my apache chrooted nicely.

I noticed that apache2splitlogfile does not work properly and made apache slow down almost immediately without perl (addjailsw /chroot/apache -P /usr/bin/perl) inside chroot.

Some questions:

I have mod_php installed and after chrooting there were about ~15-20 libs missing from /chroot/apache/usr/lib and /chroot/apache/lib. I copied those libs to the right location manually but it was pretty slow, is possible to make this automatically with jail somehow?

/chroot/apache/etc/shadow contains crypted root password, should I manually edit that to * and maybe change roots shell from /bin/bash to /bin/false in /chroot/apache/etc/passwd?
Back to top
View user's profile Send private message
placeholder
Advocate
Advocate


Joined: 07 Feb 2004
Posts: 2500

PostPosted: Sat Jul 24, 2004 2:54 pm    Post subject: Reply with quote

Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.
Back to top
View user's profile Send private message
ka0ttic
Retired Dev
Retired Dev


Joined: 23 Oct 2003
Posts: 46
Location: Ormond Beach, FL

PostPosted: Sat Jul 24, 2004 5:04 pm    Post subject: Reply with quote

Pwnz3r wrote:
Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.


I cannot say with 100% certainty, as I am not a security expert, but I would take that with a grain of salt. The main parent apache process runs as root, which means if apache has a bug somewhere that can be exploited it is possible to gain root priviledges.

There is a reason that one of (if not the) most secure operating systems on this planet (OpenBSD) runs apache chroot'ed by default.

Even if it wasn't possible, wouldn't you still feel better knowing that if for some reason someone gained root access, the most harm they could do would be deleting files inside the chroot environment?

OTOH, running apache in a chroot probably isn't for the faint-hearted. You'll run into a problem now and then, and might have to modify things to adapt to the chroot env. And on top of that it makes it harder to administer. For example, if you have user aliases setup, the files must be inside the chroot env, and you can then link the public_html to their home dir (or even better just make their homedir ${chroot_path}/home/username). It's definitely more of a PITA to administer.

Cheers
Back to top
View user's profile Send private message
ka0ttic
Retired Dev
Retired Dev


Joined: 23 Oct 2003
Posts: 46
Location: Ormond Beach, FL

PostPosted: Sat Jul 24, 2004 5:10 pm    Post subject: Reply with quote

mli wrote:
Thanks for a great howto, I got my apache chrooted nicely.

I noticed that apache2splitlogfile does not work properly and made apache slow down almost immediately without perl (addjailsw /chroot/apache -P /usr/bin/perl) inside chroot.

Some questions:

I have mod_php installed and after chrooting there were about ~15-20 libs missing from /chroot/apache/usr/lib and /chroot/apache/lib. I copied those libs to the right location manually but it was pretty slow, is possible to make this automatically with jail somehow?

/chroot/apache/etc/shadow contains crypted root password, should I manually edit that to * and maybe change roots shell from /bin/bash to /bin/false in /chroot/apache/etc/passwd?


I haven't really messed with extra apache modules inside the chroot env so I cannot offer much help in that regard. Some work and some don't. The best advice I can think of is to google around and see if you can find any other people that have tried to run mod_php inside a chroot env.

As far as the root password goes, it definitely wouldn't hurt to do that. I wouldn't think it would matter, but you never can know.
Back to top
View user's profile Send private message
Torin_
Tux's lil' helper
Tux's lil' helper


Joined: 05 Apr 2004
Posts: 114
Location: [PL]Gdynia

PostPosted: Sun Jul 25, 2004 10:19 pm    Post subject: Reply with quote

Code:

Init scripts

Well, hopefully everything worked ok. If so, then download the Init scripts.

Code listing 2.13

# cp /etc/conf.d/apache2 /etc/conf.d/apache2.chroot
# cp /etc/init.d/apache2 /etc/init.d/apache2.chroot

/etc/conf.d/apache2.chroot (download)

Change APACHE_CHROOTDIR to your chroot environment (or leave alone if you used the same path as I did in this document).

Change PIDFILE to 'PIDFILE=${APACHE_CHROOTDIR}/var/run/apache2.pid'

/etc/init.d/apache2.chroot (download)

Thats on the website, but there's no files to download.
_________________
http://www.torin.biz/
Back to top
View user's profile Send private message
ka0ttic
Retired Dev
Retired Dev


Joined: 23 Oct 2003
Posts: 46
Location: Ormond Beach, FL

PostPosted: Mon Jul 26, 2004 2:33 pm    Post subject: Reply with quote

Torin_ wrote:
Code:

Init scripts

Well, hopefully everything worked ok. If so, then download the Init scripts.

Code listing 2.13

# cp /etc/conf.d/apache2 /etc/conf.d/apache2.chroot
# cp /etc/init.d/apache2 /etc/init.d/apache2.chroot

/etc/conf.d/apache2.chroot (download)

Change APACHE_CHROOTDIR to your chroot environment (or leave alone if you used the same path as I did in this document).

Change PIDFILE to 'PIDFILE=${APACHE_CHROOTDIR}/var/run/apache2.pid'

/etc/init.d/apache2.chroot (download)

Thats on the website, but there's no files to download.


Fixed & Updated. Thanks.
Back to top
View user's profile Send private message
vdboor
Guru
Guru


Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands

PostPosted: Mon Jul 26, 2004 11:05 pm    Post subject: Reply with quote

ka0ttic wrote:
The main parent apache process runs as root, which means if apache has a bug somewhere that can be exploited it is possible to gain root priviledges.

There is a reason that one of (if not the) most secure operating systems on this planet (OpenBSD) runs apache chroot'ed by default.

Even if it wasn't possible, wouldn't you still feel better knowing that if for some reason someone gained root access, the most harm they could do would be deleting files inside the chroot environment?


In case you're wondering: it is possible to run apache without a root process, I've managed to get my apache server running completely as normal user: https://forums.gentoo.org/viewtopic.php?t=188692

Pwnz3r wrote:
Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.

There is one important thing to know: chrooting doesn't protect you from everything... In BSD, they have a jail() function that also restricts the process from communicating with other processes.. A chroot() in Linux does not do this, the root process can freely communicate with the other non-chrooted processes. This opens the possibility to use vulnerabilities in those processes to break out of the chroot-ed environment.
A chroot does have another advantage however: the attacker can't use tools located outsite of the chroot-ed environment, or tools having vulnerabilities that can be abused to gain privileges.
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer

[ screenies | Coding on KMess ]
Back to top
View user's profile Send private message
vdboor
Guru
Guru


Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands

PostPosted: Mon Jul 26, 2004 11:14 pm    Post subject: Reply with quote

ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)
I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me.. :?
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer

[ screenies | Coding on KMess ]
Back to top
View user's profile Send private message
vdboor
Guru
Guru


Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands

PostPosted: Mon Jul 26, 2004 11:16 pm    Post subject: Reply with quote

ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)
I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me.. :?
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer

[ screenies | Coding on KMess ]
Back to top
View user's profile Send private message
vdboor
Guru
Guru


Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands

PostPosted: Mon Jul 26, 2004 11:16 pm    Post subject: Reply with quote

ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)
I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me.. :?
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer

[ screenies | Coding on KMess ]
Back to top
View user's profile Send private message
ka0ttic
Retired Dev
Retired Dev


Joined: 23 Oct 2003
Posts: 46
Location: Ormond Beach, FL

PostPosted: Mon Jul 26, 2004 11:47 pm    Post subject: Reply with quote

vdboor wrote:
ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)
I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me.. :?


You're right. I've never thought about that. Good thing Grsecurity exists ;p if you have chroot restrictions enabled, you can not chroot() inside a chroot. Otherwise, it probably wouldn't be the best of ideas to have perl inside the chroot env.
Back to top
View user's profile Send private message
idoneus
Apprentice
Apprentice


Joined: 26 Mar 2003
Posts: 243
Location: Graz, Austria

PostPosted: Tue Jul 27, 2004 5:44 pm    Post subject: Reply with quote

vdboor wrote:
a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)

AFAIK you still need root privileges to call the chroot command.
Back to top
View user's profile Send private message
Torin_
Tux's lil' helper
Tux's lil' helper


Joined: 05 Apr 2004
Posts: 114
Location: [PL]Gdynia

PostPosted: Thu Jul 29, 2004 8:30 am    Post subject: Reply with quote

I think that the init script is a little buggy becouse I have something like that:
Code:

root@deception /home/torin # /etc/init.d/apache2.chroot start
: command not found line 2:
: command not found line 4:
: command not found line 10:
: command not found line 12:
: command not found line 15:
: command not found line 29:
: command not found line 31:
: command not found line 37:
: command not found line 40:
: command not found line 45:
: command not found line 49:
 * Re-caching dependency info (mtimes differ)...
/etc/apache2/conf/apache2.confn file: /etc/chroot/apache


Could someone comment that and give any clues what's wrong ?
_________________
http://www.torin.biz/
Back to top
View user's profile Send private message
mli
n00b
n00b


Joined: 24 Jul 2004
Posts: 18
Location: Finland

PostPosted: Thu Jul 29, 2004 5:42 pm    Post subject: Reply with quote

Here are the files I had to copy inside chroot for php to work properly:

Code:
cp /usr/lib/apache2-extramodules/libphp4.so /chroot/apache/usr/lib/apache2-extramodules/libphp4.so

cp /etc/apache2/conf/modules.d/70_mod_php.conf /chroot/apache/etc/apache2/conf/modules.d/70_mod_php.conf

cp /usr/lib/libsablot.so.0 /chroot/apache/usr/lib/libsablot.so.0

cp /usr/lib/libmysqlclient.so.12 /chroot/apache/usr/lib/

cp /usr/lib/libmhash.so.2 /chroot/apache/usr/lib/libmhash.so.2

cp /usr/lib/libmcrypt.so.4 /chroot/apache/usr/lib/libmcrypt.so.4

cp /usr/lib/libltdl.so.3 /chroot/apache/usr/lib/libltdl.so.3

cp /lib/libpam.so.0 /chroot/apache/lib/libpam.so.0

cp /usr/lib/libexslt.so.0 /chroot/apache/usr/lib/libexslt.so.0

cp /usr/lib/libxslt.so.1 /chroot/apache/usr/lib/libxslt.so.1

cp /usr/lib/libdb.so.2 /chroot/apache/usr/lib/libdb.so.2

cp /usr/lib/libcrack.so.2 /chroot/apache/usr/lib/libcrack.so.2

cp /usr/lib/libbz2.so.1.0 /chroot/apache/usr/lib/libbz2.so.1.0

cp /lib/libresolv.so.2 /chroot/apache/lib/libresolv.so.2

cp /usr/lib/libxmlparse.so.0 /chroot/apache/usr/lib/libxmlparse.so.0

cp /usr/lib/libxmltok.so.0 /chroot/apache/usr/lib/libxmltok.so.0

cp /usr/lib/libxml2.so.2 /chroot/apache/usr/lib/libxml2.so.2

cp /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/libstdc++.so.5 /chroot/apache/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/libstdc++.so.5

cp -R /etc/php /chroot/apache/etc


Note that these may or may not be the correct libs depending on your system. Also note that symbolic link lib in /chroot/apache/etc/php/apache2-php4 still points to /usr/lib/apache2-extramodules/ and not /chroot/apache/usr/lib/apache2-extramodules/ so be careful if removing something inside it.

Hope this helps someone.
Back to top
View user's profile Send private message
Torin_
Tux's lil' helper
Tux's lil' helper


Joined: 05 Apr 2004
Posts: 114
Location: [PL]Gdynia

PostPosted: Mon Aug 09, 2004 11:09 pm    Post subject: Reply with quote

Ok I've done it.
Also I had to copy many libraries becouse i have png and etc supprot.

My question is, can i run mod_userdir with local pages from /home/*/www ???
Not from /etc/chroot/apache/home/*/ ???

I wonder also how big is your chroot my is 65mb :)
_________________
http://www.torin.biz/
Back to top
View user's profile Send private message
ka0ttic
Retired Dev
Retired Dev


Joined: 23 Oct 2003
Posts: 46
Location: Ormond Beach, FL

PostPosted: Mon Aug 09, 2004 11:28 pm    Post subject: Reply with quote

Torin_ wrote:
Ok I've done it.
Also I had to copy many libraries becouse i have png and etc supprot.

My question is, can i run mod_userdir with local pages from /home/*/www ???
Not from /etc/chroot/apache/home/*/ ???

I wonder also how big is your chroot my is 65mb :)


No, the homedir's need to be under the chroot env. If you put /home as the path in your apache config, then apache will use /chroot/apache/home. To apache, that is /home and / is /chroot/apache and it cannot see outside of that.

What I just ended up doing was creating a symlink from /chroot/apache/home/user/public_html to their real home directory, or if they weren't a local user (ie. me), I would just add the user to /chroot/apache/etc/passwd and use /chroot/apache/home/user as their real homedir.

65M isn't very much space considering you need space for both the binaries/libs for apache and modules, as well as the space to host the whole site. My partition for /chroot is 5G, but I also run my cvs server chroot'ed there, which takes a couple hundred megs...
Back to top
View user's profile Send private message
dasalvagg
Apprentice
Apprentice


Joined: 26 Jun 2002
Posts: 183
Location: NY

PostPosted: Fri Apr 22, 2005 9:26 pm    Post subject: Reply with quote

I'm getting an error when I try to run the test. The file DOES exist. I'm on amd64, I dont know if this would cause problems. I haven't seen anyone else using it.

Quote:

chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory
Back to top
View user's profile Send private message
amne
Bodhisattva
Bodhisattva


Joined: 17 Nov 2002
Posts: 6378
Location: Graz / EU

PostPosted: Tue Apr 26, 2005 8:42 pm    Post subject: Reply with quote

Moved from GC.
_________________
Dinosaur week! (Ok, this thread is so last week)
Back to top
View user's profile Send private message
RUDIII
n00b
n00b


Joined: 31 May 2004
Posts: 63
Location: Germany - Hamburg

PostPosted: Fri Apr 29, 2005 1:55 pm    Post subject: Reply with quote

dasalvagg wrote:
I'm getting an error when I try to run the test. The file DOES exist. I'm on amd64, I dont know if this would cause problems. I haven't seen anyone else using it.

Quote:

chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory


Same problem here!
Back to top
View user's profile Send private message
pointers
Tux's lil' helper
Tux's lil' helper


Joined: 18 Apr 2004
Posts: 123

PostPosted: Thu Jun 02, 2005 11:27 am    Post subject: chroot ebuild Reply with quote

hi friends,
if you test my apache chroot ebuild and send me feedbacks, it is going to be great for me. Here is the ebuild
http://www.genco.gen.tc/gentoo_chroot_apache2.html . It converts an existing apache2 installation into a chroot environment like the one made in bind.
Not many people have tested it so I need somebody to test it to understand if it fails in any part.
I am using an apache2 chroot which is converted by this ebuild in a production server.


Best Regards.
Back to top
View user's profile Send private message
a9db0
n00b
n00b


Joined: 23 Oct 2002
Posts: 8
Location: Texas

PostPosted: Thu Jun 02, 2005 9:56 pm    Post subject: Reply with quote

dasalvagg wrote:
I'm getting an error when I try to run the test. The file DOES exist. I'm on amd64, I dont know if this would cause problems. I haven't seen anyone else using it.

Quote:

chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory


And a third Me Too!
I'm running currently up to date on a PII400, so it shouldn't be an architecture problem. Has anyone any suggestions on what to tryor how to fix?
Dave
_________________
If at first you DO succeed, try not to look too surprised...
Back to top
View user's profile Send private message
mrbox
n00b
n00b


Joined: 26 Apr 2004
Posts: 10

PostPosted: Tue Jul 12, 2005 5:06 pm    Post subject: Reply with quote

a9db0 wrote:
dasalvagg wrote:
I'm getting an error when I try to run the test. The file DOES exist. I'm on amd64, I dont know if this would cause problems. I haven't seen anyone else using it.

Quote:

chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory


And a third Me Too!
I'm running currently up to date on a PII400, so it shouldn't be an architecture problem. Has anyone any suggestions on what to tryor how to fix?
Dave


Copy /lib/ld-linux.so.2 to your chroot , that solved it for me.
Back to top
View user's profile Send private message
slashdot
n00b
n00b


Joined: 18 Feb 2004
Posts: 30

PostPosted: Wed Aug 03, 2005 10:08 pm    Post subject: Reply with quote

The link doesn't seem to be working. Anyone any ideas where is has been moved to?
Back to top
View user's profile Send private message
dausha
Tux's lil' helper
Tux's lil' helper


Joined: 08 Nov 2003
Posts: 112
Location: 34° 45' 44.5"N 92° 23' 10.5"W

PostPosted: Thu Oct 06, 2005 2:21 pm    Post subject: Link Moved . . . Reply with quote

If you google for it and then look at archived, then you will find it.

Alternatively, since it was released with an open license, I have posted it on my site:

http://www.dausha.net/index.php/Technical/HowToChrootApacheInGentoo

Although, there are two commands that are missing because the software I use to help manage my site choaks on it.

grep apache /etc/passwd >> /chroot/apache/etc/passwd
grep apache /etc/group >> /chroot/apache/etc/group
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum