Originally Published: Monday, 20 September 1999 Author: Jim Hewlett
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

Chrooting apache - securing your webserver further - by Jim Hewlett

This week's article is on the chrooting of apache. Chrooting apache is no easy task and has a tendency to break things. Before we embark on this, we need to first decide whether it is beneficial for you to do so. Some pros and cons are...

This week's article is on the chrooting of apache. I also recommend reading Brad Marshall's articles on other aspects of securing apache. If you haven't read any of Brad's articles yet, please take the time to do so; they're super.

Chrooting apache is no easy task and has a tendency to break things. Before we embark on this, we need to first decide whether it is beneficial for you to do so. Some pros and cons are (but most certainly not limited to):

Pros:

Cons: Have you decided? Yes? Good, lets embark on our mission. Mosey over to Apache's site and pick up the latest copy, compile, and install it. I'm using the default location of /usr/local in this paper. Adding gcc -static to CC= in src/Configuration.tmpl or specifying on the command line will compile apache statically. However, apparently in newer versions of glibc I am unable to get a true statically compiled binary, as shared NSS libraries are called by some libraries that would be compiled statically. If you've compiled statically and encounter problems, this is likely the case. You can still hardlink your libraries if apache is on the same partition.

OK, now we're all compiled and have an apache waiting to be installed. Before we can do that we need to create the chroot structure. I use /usr/local/chroot for all my chrooted services. So, pick a location you're fond of and make a 'chroot' dir. Within the chroot dir, do mkdir -p httpd/usr/local/apache. The httpd is just a directory where I've decided to put apache. We need the /usr/local/apache directories because, from the point of the chroot, we're sitting at / and we need a /usr/local/apache since apache will be expecting to find itself there. Next, make a symbolic link from where apache installs to normally (/usr/local/apache in my case) to the chroot dir (/usr/local/chroot/httpd/usr/local/apache). Ugly, I know. Now make install and then go check and make sure everything installed ok.

Here comes the fun part: we get to muck up apache's start/stop script for chroot! Load /usr/local/apache/bin/apachectl in your favorite editor (as opposed to one you hate, I guess).

If you compiled apache to use shared libraries, you need to install them into the chroot directory structure. Use ldd /usr/local/apache/bin/httpd to find out which libraries are needed. The output will be something similar to: Copying the libraries: You'll also need the following extra libraries for some network functions like resolving. If you're compiling statically, remember to include the resolver libs in your compile. We now need to make /etc inside the chroot for a few files like passwd and group. The concept here is similar to how ftpd uses passwd and group files. mkdir /usr/local/chroot/httpd/etc, and copy /etc/passwd and /etc/group there. Next, remove all entries except for the user that apache runs as in both files. Do remember to remove passwords as well; replacing them with !! will be sufficient. You will also need /etc/resolv.conf, /etc/hosts and /etc/nsswitch.conf. Lastly, run ldconfig -r /usr/local/chroot/httpd to create a cache for any libraries that may be in the chroot

Whew, we're finished! Try it out. /usr/local/apache/apachectl start. If you don't get any errors, do a ps auwx|grep http and see if we're running. If so, lets check to make sure it's chrooted by picking out one of the process numbers of httpd and doing ls -al /proc/that_process_number/root. If you see /usr/local/chroot/httpd, congratulations! If you're using the older 2.0.x kernels, you'll only see numbers there. Those are inodes. You'll have to do ls -i /usr/local/chroot/httpd and compare the number from proc with it.

A couple of side notes you should be aware of:

Comments, suggestions, or additions are welcome. Just point them to jh@linux.com.

jh is a freelance UNIX Systems Administrator with over 4 years of experience maintaining machines and networks throughout the south-east.