Jump to content
Sign in to follow this  
hijinks

apache in a chroot

Recommended Posts

I took a script that I use to easily make a chroot enviroment for a user. I edited it to install a currently installed apache setup inside a chroot enviroment for added security. So I have only tested this out on centOS 4.3 with the http rpm installed and also php5. Now in theory it does check for php4 so give it a try.. it shouldn't break anything.

 

So in theory this script should work on any redhat/centos/fedora system out there. Look below the script to find install instructions

 

#!/bin/sh
#
# (c) Copyright by Wolfgang Fuschlberger
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of the GNU General Public License as published by
#	the Free Software Foundation; either version 2 of the License, or
#	(at your option) any later version.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#	GNU General Public License for more details.
#	( http://www.fsf.org/licenses/gpl.txt )

# first Release: 2004-07-30
# latest update: 2006-04-20
# Jy update: 2006-04-25 (apache chroot)
#
# The latest version of the script is available at
#   http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/
#
# Feedback is welcome!
#
# Thanks for Bugfixes / Enhancements to 
# Michael Prokop <http://www.michael-prokop.at/chroot/>,
# Randy K., Randy D. and Jonathan Hunter.

#
# Features:
# - enable scp and sftp in the chroot-jail
# - use one directory (default /home/jail/) as chroot for all users
################################################################################

if [ "$(whoami)" != "root" ]; then
 echo "Error: You must be root to run this command." >&2
 exit 1
fi

# Specify the apps you want to copy to the jail
APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/sh /bin/su /usr/bin/id /usr/bin/nc /usr/sbin/httpd /usr/lib/httpd/modules/libphp5.so /usr/lib/httpd/modules/libphp4.so"

# Check if we are called with username or update
if [ -z "$1" ]; then
 echo
 echo "Error: Parameter missing. Did you forget the apache chroot dir?"
 echo
 echo "Creating new chrooted account:"
 echo "Usage: $0 dir"
 echo
 exit
fi

# Check existence of necessary files
echo -n "Checking for chroot... " 
if [ `which chroot` ];
then
echo "OK";
else 
echo "failed
Please install chroot-package/binary!
"
exit 1
fi

JAILPATH=/chroot/$1

# make common jail for everybody if inexistent
if [ ! -d $JAILPATH ]; then
mkdir -p $JAILPATH
echo "Creating $JAILPATH"
fi
cd $JAILPATH

# Create directories in jail that do not exist yet
JAILDIRS="dev etc bin home sbin usr usr/bin usr/sbin var/log/httpd lib var/lib/php/session usr/lib/php/modules var/run usr/lib/httpd/modules usr/lib/httpd/build"
for directory in $JAILDIRS; do
	if [ ! -d "$JAILPATH/$directory" ]; then
	mkdir -p $JAILPATH/"$directory"
	echo "Creating $JAILPATH/$directory"
fi
done
echo



# Creating necessary devices
[ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9
[ -r $JAILPATH/dev/null ]	|| mknod $JAILPATH/dev/null	c 1 3
[ -r $JAILPATH/dev/zero ]	|| mknod $JAILPATH/dev/zero	c 1 5
[ -r $JAILPATH/dev/tty ]	 || mknod $JAILPATH/dev/tty	 c 5 0 && chmod 666 $JAILPATH/dev/tty


# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"

# The original code worked fine on RedHat 7.3, but did not on FC3.
# On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that 
# points to nothing (or a 90xb.....), and it also does not pick up
# some files that start with a '/'. To fix this, I am doing the ldd
# to a file called ldlist, then going back into the file and pulling
# out the libs that start with '/'
# 
# Randy K.
#
# The original code worked fine on 2.4 kernel systems. Kernel 2.6
# introduced an internal library called 'linux-gate.so.1'. This 
# 'phantom' library caused non-critical errors to display during the 
# copy since the file does not actually exist on the file system. 
# To fix re-direct output of ldd to a file, parse the file and get 
# library files that start with /
#
if [ -x /root/ldlist ]; then 
mv /root/ldlist /root/ldlist.bak
fi
if [ -x /root/lddlist2 ]; then 
mv /root/lddlist2 /root/lddlist2.bak
fi

for app in $APPS;  do

# First of all, check that this application exists
if [ -x $app ]; then
	# Check that the directory exists; create it if not.
	app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
	if ! [ -d .$app_path ]; then
		mkdir -p .$app_path
	fi

	# If the files in the chroot are on the same file system as the
	# original files you should be able to use hard links instead of
	# copying the files, too. Symbolic links cannot be used, because the
	# original files are outside the chroot.
	cp -p $app .$app

	# get list of necessary libraries
	ldd $app >> /root/ldlist
fi
done

# Clear out any old temporary file before we start
if [ -e /root/ldlist2 ]; then
rm /root/ldlist2
fi
for libs in `cat /root/ldlist`; do
  frst_char="`echo $libs | cut -c1`"
  if [ "$frst_char" = "/" ]; then
 echo "$libs" >> /root/ldlist2
  fi
done
for lib in `cat /root/ldlist2`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1

# If the files in the chroot are on the same file system as the original
# files you should be able to use hard links instead of copying the files,
# too. Symbolic links cannot be used, because the original files are
# outside the chroot.
cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f /root/ldlist
/bin/rm -f /root/ldlist2

# Necessary files that are not listed by ldd
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/


# if you are using PAM you need stuff from /etc/pam.d/ in the jail,
echo "Copying files from /etc/pam.d/ to jail"
cp -r /etc/pam.d ./etc/

# ...and of course the PAM-modules...
echo "Copying PAM-Modules to jail"
cp -r /lib/security ./lib/

# ...and something else useful for PAM
#echo "Copying /etc/security to jail"
cp -r /etc/security ./etc/
cp /etc/login.defs ./etc/
cp -rf /etc/host.conf /etc/nsswitch.conf /etc/resolv.conf ./etc

echo "Copying over the apache/php configs"
cp -rf /etc/httpd ./etc/
cp -rf /etc/php.d ./etc/
cp -rf /etc/php.ini ./etc/
cp /etc/mime.types ./etc/
cp -rf /usr/lib/php/modules/* ./usr/lib/php/modules/
cp -rf /usr/lib/httpd/modules/* ./usr/lib/httpd/modules/
cp -rf /usr/lib/httpd/build/* ./usr/lib/httpd/build/
chown apache:apache ./var/lib/php/session

echo $2
if [ -n "$2" ]
then
echo "Copying over the doc root: $2"
cp -rf $2 .$2
else
mkdir -p ./var/www
mkdir -p ./var/www/cgi-bin
cp -rf /var/www/error ./var/www
cp -rf /var/www/icons ./var/www
mkdir -p ./var/www/html
fi

echo "Copying over the logs"
cp -rf /var/log/httpd ./var/log/

echo "Grabbing the apache user"
grep apache /etc/passwd > ./etc/passwd
grep apache /etc/group > ./etc/group


exit

 

Ok now put the script into a file.. This wants to install the base enviroment into the /chroot dir. You don't need to create it but if you want it on another partition then you should create a nice little symlink

 

So to create a basic setup which includes moving over all your html files from your root dir you would run the following command

 

sh make_chroot_jail.sh httpd /var/www/

 

You can run it without the /var/www and it will not move anything over but create the basic layout in /var/www like your basic install would

 

So now we need to do some things with syslog to make apache log. So edit /etc/sysconfig/syslog and look for a line with SYSLOGD_OPTIONS and make it look something like this

 

SYSLOGD_OPTIONS="-m 0 -a /chroot/httpd/dev/log"

 

You would change httpd to the name you used in the sh make_chroot_jail command. So restart syslog with the following command

 

service syslog restart

 

Now lets test starting apache

 

chroot /chroot/httpd /usr/sbin/httpd

 

You might have to stop the normal apache from running or it won't beind to the port.

 

hope this helps some people out!

 

now on a side note you will see it running as /usr/sbin/httpd in a ps aux. Now this is normal since its running in a chroot here is an example

 

[root@fx-ws-sop-110 www]# ps aux | grep httpd
root	 20627  0.0  0.3 16496 6840 ?		Ss   15:00   0:00 /usr/sbin/httpd
apache   20628  0.0  0.3 16496 6960 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20629  0.0  0.3 16500 6976 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20630  0.0  0.3 16496 6956 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20631  0.0  0.3 16496 6956 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20632  0.0  0.3 16500 6976 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20633  0.0  0.3 16496 6956 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20634  0.0  0.3 16496 6956 ?		S	15:00   0:00 /usr/sbin/httpd
apache   20635  0.0  0.3 16496 6856 ?		S	15:00   0:00 /usr/sbin/httpd

 

To verify its running correctly grab the PID of the httpd process that is running as root and do something like this

 

ls /proc/20627/root/

 

It should show you the directory structure of /chroot/httpd

  • Like 1

Share this post


Link to post
Share on other sites

nice informative post as always Jy

 

pinned !

 

cheers

 

anyweb

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...