[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
Chroot
environment for Apache
The chroot
utility is often used to jail a daemon in a restricted
tree. You can use it to insulate services from one another, so that security
issues in a software package do not jeopardize the whole server. When using
the makejail
script, setting up and updating the chrooted tree is
much easier.
FIXME: Apache can also be chrooted using http://www.modsecurity.org
which
is available in libapache-mod-security
(for Apache 1.x) and
libapache2-mod-security
(for Apache 2.x).
This document is copyright 2002 Alexandre Ratti. It has been dual-licensed and
released under the GPL version 2 (GNU General Public License) the GNU-FDL 1.2
(GNU Free Documentation Licence) and is included in this manual with his
explicit permission. (from the original
document
)
This procedure was tested on Debian GNU/Linux 3.0 (Woody) with
makejail
0.0.4-1 (in Debian/testing).
Log in as root
and create a new jail directory:
$ mkdir -p /var/chroot/apache
Create a new user and a new group. The chrooted Apache server will run as this
user/group, which isn't used for anything else on the system. In this example,
both user and group are called chrapach
.
$ adduser --home /var/chroot/apache --shell /bin/false \ --no-create-home --system --group chrapach
FIXME: is a new user needed? (Apache already runs as the apache user)
Install Apache as usual on Debian: apt-get install apache
Set up Apache (e.g. define your subdomains, etc.). In the
/etc/apache/httpd.conf
configuration file, set the Group
and User options to chrapach. Restart Apache and make
sure the server is working correctly. Now, stop the Apache daemon.
Install makejail
(available in Debian/testing for now). You
should also install wget
and lynx
as they will be
used by makejail
to test the chrooted server: apt-get
install makejail wget lynx
Copy the sample configuration file for Apache to the /etc/makejail
directory:
# cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/
Edit /etc/makejail/apache.py
. You need to change the
chroot, users and groups options. To run this
version of makejail
, you can also add a packages
option. See the makejail
documentation
. A sample is shown here:
chroot="/var/chroot/apache" testCommandsInsideJail=["/usr/sbin/apachectl start"] processNames=["apache"] testCommandsOutsideJail=["wget -r --spider http://localhost/", "lynx --source https://localhost/"] preserve=["/var/www", "/var/log/apache", "/dev/log"] users=["chrapach"] groups=["chrapach"] packages=["apache", "apache-common"] userFiles=["/etc/password", "/etc/shadow"] groupFiles=["/etc/group", "/etc/gshadow"] forceCopy=["/etc/hosts", "/etc/mime.types"]
FIXME: some options do not seem to work properly. For instance,
/etc/shadow
and /etc/gshadow
are not copied, whereas
/etc/password
and /etc/group
are fully copied instead
of being filtered.
Create the chroot tree: makejail /etc/makejail/apache.py
If /etc/password
and /etc/group
were fully copied,
type:
$ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd $ grep chrapach /etc/group > /var/chroot/apache/etc/group
to replace them with filtered copies.
Copy the Web site pages and the logs into the jail. These files are not copied
automatically (see the preserve option in makejail
's
configuration file).
# cp -Rp /var/www /var/chroot/apache/var # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache
Edit the startup script for the system logging daemon so that it also listen to
the /var/chroot/apache/dev/log
socket. In
/etc/default/syslogd
, replace: SYSLOGD=""
with SYSLOGD=" -a /var/chroot/apache/dev/log" and
restart the daemon (/etc/init.d/sysklogd restart).
Edit the Apache startup script (/etc/init.d/apache
). You might
need to make some changes to the default startup script for it to run properly
with a chrooted tree. Such as:
set a new CHRDIR variable at the top of the file;
edit the start, stop, reload, etc. sections;
add a line to mount and unmount the /proc
filesystem within the
jail.
#! /bin/bash # # apache Start the apache HTTP server. # CHRDIR=/var/chroot/apache NAME=apache PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/apache SUEXEC=/usr/lib/apache/suexec PIDFILE=/var/run/$NAME.pid CONF=/etc/apache/httpd.conf APACHECTL=/usr/sbin/apachectl trap "" 1 export LANG=C export PATH test -f $DAEMON || exit 0 test -f $APACHECTL || exit 0 # ensure we don't leak environment vars into apachectl APACHECTL="env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL" if egrep -q -i "^[[:space:]]*ServerType[[:space:]]+inet" $CONF then exit 0 fi case "$1" in start) echo -n "Starting web server: $NAME" mount -t proc proc /var/chroot/apache/proc start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \ --chroot $CHRDIR ;; stop) echo -n "Stopping web server: $NAME" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo umount /var/chroot/apache/proc ;; reload) echo -n "Reloading $NAME configuration" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" \ --signal USR1 --startas $DAEMON --chroot $CHRDIR ;; reload-modules) echo -n "Reloading $NAME modules" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo \ --retry 30 start-stop-daemon --start --pidfile $PIDFILE \ --exec $DAEMON --chroot $CHRDIR ;; restart) $0 reload-modules exit $? ;; force-reload) $0 reload-modules exit $? ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}" exit 1 ;; esac if [ $? == 0 ]; then echo . exit 0 else echo failed exit 1 fi
FIXME: should the first Apache process be run as another user than root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write access to the logs, which is awkward.
Replace in /etc/logrotate.d/apache
/var/log/apache/*.log with
/var/chroot/apache/var/log/apache/*.log
Start Apache (/etc/init.d/apache start
) and check what is it
reported in the jail log
(/var/chroot/apache/var/log/apache/error.log
). If your setup is
more complex, (e.g. if you also use PHP and MySQL), files will probably be
missing. if some files are not copied automatically by makejail
,
you can list them in the forceCopy (to copy files directly) or
packages (to copy full packages and their dependencies) option the
/etc/makejail/apache.py
configuration file.
Type ps aux | grep apache to make sure Apache is running. You should see something like:
root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache
Make sure the Apache processes are running chrooted by looking in the
/proc
filesystem: ls -la
/proc/process_number/root/. where process_number
is one of the PID numbers listed above (2nd column; 189 for instance). The
entries for a restricted tree should be listed:
drwxr-sr-x 10 root staff 240 Dec 2 16:06 . drwxrwsr-x 4 root staff 72 Dec 2 08:07 .. drwxr-xr-x 2 root root 144 Dec 2 16:05 bin drwxr-xr-x 2 root root 120 Dec 3 04:03 dev drwxr-xr-x 5 root root 408 Dec 3 04:03 etc drwxr-xr-x 2 root root 800 Dec 2 16:06 lib dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin drwxr-xr-x 6 root root 144 Dec 2 16:04 usr drwxr-xr-x 7 root root 168 Dec 2 16:06 var
To automate this test, you can type:ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/.
FIXME: Add other tests that can be run to make sure the jail is closed?
The reason I like this is because setting up the jail is not very difficult and the server can be updated in just two lines:
apt-get update && apt-get install apache makejail /etc/makejail/apache.py
If you are looking for more information you can consider these sources of information in which the information presented is based:
makejail homepage
,
this program was written by Alain Tesio
[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ]
Securing Debian Manual
[email protected]