Sign In

Dausha CommunicationsA Resource for the Renaissance Man

Technical »

How-to Chroot Apache in Gentoo

I am mirroring this article because the original link to it resulted in a 404, and there seems to be interest in preserving it. There are many things that need to be done to make it work. So, please keep me informed of problems you've encountered

On this page… (hide)

  1. 1. Introduction
  2. 2. Implementation
  3. 3. Create the initial chroot environment
  4. 4. Installing Apache
  5. 5. Test it out
  6. 6. Init scripts

1.  Introduction

The Linux Kernel Mailing List defines a chroot jail as "A process under the aegis of a chroot() syscall is in a chroot jail, and cannot access the file system above its notion of root directory." By jailing a process it only has access to the files within that jail. Any Apache security breach would therefore be more contained and overall less damaging to the system.

2.  Implementation

Installing necessary ebuilds

For this guide, we will be using the following software:

(Code listing 2.1)

net-www/apache-2.0.50 app-misc/jail-1.9-r1

Jail is a nice utility that will create the initial chroot environment (coreutils, essential /dev devices, etc), and "install" software that is installed on your system into the chroot environment. It tries to figure out all the files required for that software to run. Unfortunately, it doesn't always detect all the files, but it usually does a pretty good job. The files that jail didn't detect I had to find manually using ldd and strace.

Note: all commands should be run as root

3.  Create the initial chroot environment

In this document, I will use /chroot/apache as the chroot environment. Change that to whatever path you want to use.

(Code listing 3.1)

mkdir /chroot mkjailenv /chroot/apache addjailsw /chroot/apache

This will create the initial chroot environment. Test it out by running:

(Code listing 3.2)

chroot /chroot/apache /bin/sh

4.  Installing Apache

Using the -P command-line option of addjailsw, it will try to detect all files requred for the specified binary to run. As I said earlier, it does a pretty good job, but not 100%.

(Code listing 4.1)

addjailsw /chroot/apache -P /usr/sbin/apache2 addjailsw /chroot/apache -P /usr/sbin/apache2ctl addjailsw /chroot/apache -P /usr/sbin/apache2logserverstatus addjailsw /chroot/apache -P /usr/sbin/apache2splitlogfile addjailsw /chroot/apache -P /usr/sbin/suexec2 cp -Rp /usr/lib/apache2* /chroot/apache/usr/lib

One library that addjailsw does not detect is libgcc_s.so.1. Apache needs this for pthread_cancel() according to apache's error_log (tail'ing this file in another window or terminal might help troubleshoot if you are having problems, btw). The location of this file depends on what version of gcc you have installed. The following command should locate the correct file:

(Code listing 4.2)

slocate gcc-lib/libgcc_s.so.1 cp -p slocate gcc-lib/libgcc_s.so.1 /chroot/apache/lib

Copy your apache configuration to the chroot environment:

(Code listing 4.3)

cp -Rp /etc/apache2 /chroot/apache/etc

If you are planning on using CGI, then you will have to install whatever interpreter (perl, python, etc) as well. I will install perl in this example.

(Code listing 4.4)

addjailsw /chroot/apache -P /usr/bin/perl

Note: This should install the minimal needed to run perl. (a one-liner inside the chroot environment works). If you want extra perl modules, then you will need to manually copy them from /usr/lib/perl5. You might want CGI.pm. I just copied all of /usr/lib/perl5 to quickly test it.

(Code listing 4.5)

cp -p /etc/hosts /chroot/apache/etc cp -p /etc/resolv.conf /chroot/apache/etc

If the following directories weren't created, then create them:

(Code listing 4.6)

/chroot/apache/var/log/apache2 /chroot/apache/var/run

Setup apache user/group:

(Code listing 4.7)

PASSWD GROUP (I can't put what I want due to limitations of the software)

Copy your DocRoot from its current location to a location of your choice inside the chroot environment. You can either put it in the same location as it is under your real root directory (to avoid editing all the paths in the apache configs) and optionally do like I did and create a link just to make it easier to type:

(Code listing 4.8)

cp -Rp /var/www /chroot/apache/var ln -s /chroot/apache/var/www/localhost /chroot/apache/www

Make any configuration changes you need to in the apache configs. For example, trying to load mod_auth_digest gave errors in apache's error_log. This might be fixable, but I didn't have time to investigate.

5.  Test it out

Before setting up our init scripts to use our chroot'ed version, let's test it manually:

(Code listing 5.1)

chroot /chroot/apache /usr/sbin/apache2ctl start

Check it out and see if it works. If not, check the logs in the chroot environment.

6.  Init scripts

Well, hopefully everything worked ok. If so, then download the Init scripts.

(Code listing 5.2)

cp /etc/conf.d/apache2 /etc/conf.d/apache2.chroot cp /etc/init.d/apache2 /etc/init.d/apache2.chroot

apache_chroot_config.txt Δ

Change APACHE_CHROOTDIR to your chroot environment (or leave alone if you used the same path as I did in this document).

apache_chroot_init.txt Δ

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

(:commentable:)