/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsIn the last issue we had discussed about CGI and FastCGI, which allow the
Apache daemon to run scripts such as Python or Perl on the web server. This can
prove to be dangerous as somebody can access (even unintentionally) the file
system of the OS on which Apache resides and make changes to it. He can delete
files knowingly or unknowingly, or even corrupt them, which can increase the
downtime of your web server. If we restrict Apache from accessing the whole file
system, then the problem is solved. Chroot is one such option that allows you to
restrict the file system and limit Apache's access. It helps in changing the
directory structure of your file system; in other words in shifting the base
directory from one location to another. In other words, it can fork the existing
file system, similar to the Solaris container.
But yes the implementation process is a bit complicated. You first require
some extra library files and if you plan to run a scripting language like
Python, then one needs to copy all necessary files and binaries to the base
directory.
In this article, we will discuss how you can create a restricted zone for
Apache and safeguard your file system. For this we need to create a folder,
called Jail, which will be the base directory for Apache. We used Fedora 10.
|
Direct Hit! |
|
Applies To: Web admins Price: Free USP: Make Apache web server more secure Primary Link: www.faqs.org/docs/securing/chap29sec254.html Keyword: apache chroot |
Creating Jail
Jail contains a smaller version of the existing file system, virtually
resembling a full file system for Apache. For creating Jail, first create a
folder named 'jail' which will contain exactly the same directory tree as httpd
directory. Now, execute the following commands for creating the required tree:
# mkdir /jail/httpd
# mkdir /jail/httpd/dev
# mkdir /jail/httpd/lib
# mkdir /jail/httpd/etc
# mkdir -p /jail/httpd/usr/sbin
# mkdir /jail/httpd/usr/lib
# mkdir /jail/httpd/usr/libexec
# mkdir -p /jail/httpd/var/run
# mkdir -p /jail/httpd/var/log/apache
# mkdir -p /jail/httpd/home/httpd
After you have created the directory structure inside the jail directory, set
proper permissions for all folders, so that they can be modified only by the
root user.
# chown -R root /jail/httpd
# chmod -R 0755 /jail/httpd
# chmod 750 /jail/httpd/var/log/apache/
As we have put Apache inside 'Jail' directory, the root directory for Apache
will be 'jail.' So, it will not be able to access the null device (which handles
the unwanted output stream for Apache) and we need to make it available. Also,
copy the file configuration, cgi-bin and httpd directories to the Jail folder.
For creating the null device and copying the necessary files, execute the
following commands with proper permissions:
# cp -r /etc/httpd /jail/httpd/etc/
# cp -r /home/httpd/cgi-bin /jail/httpd/home/httpd/
# cp -r /home/httpd/your-DocumentRoot /jail/httpd/home/httpd/
# mknod /jail/httpd/dev/null c 1 3
# chown root /jail/httpd/dev/null
# chmod 666 /jail/httpd/dev/null
# cp /usr/sbin/httpd /jail/httpd/usr/sbin/
Now find out the files that are linked to such shared libraries with Apache.
For this run the following command on Fedora:
# ldd /usr/sbin/httpd
linux-vdso.s=> (0x00007fff2a7fe000)
libm.so.6 => /lib/libm.so.6 (0x0000000000331000)
libpcre.so.0 => /lib/libpcre.so.0 (0x00000000005b6000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00000000007e5000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x0000000000a01000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x0000000000c23000)
libdb-4.7.so => /lib/libdb-4.7.so (0x0000000000e5b000)
libexpat.so.1 => /lib/libexpat.so.1 (0x000000006bea7000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00000000978bb000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00000000e376f000)
libdl.so.2 => /lib/libdl.so.2 (0x00000000011cf000)
libc.so.6 => /lib/libc.so.6 (0x00000000013d3000)
/lib/ld-linux-x86-64.so.2 (0x0000000000110000)
libuuid.so.1 => /lib/libuuid.so.1 (0x000000000e8e8000)
After you find out the files that are shared with Apache, copy them inside
the lib directory of httpd which resides inside the jail directory. For doing
so, run the following command (but stop the httpd daemon first):
#cp /lib/libm.so.6 /jail/httpd/lib/
#cp /lib/libpcre.co.0 /jail/httpd/lib/
#cp /lib/libselinux.so.1 /jail/httpd/lib/
#cp /usr/lib/libaprutil-1.so.0 /jail/httpd/lib/
#cp /lib/libcrypt.so.1 /jail/httpd/lib/
#cp /lib/libdb-4.7.so /jail/httpd/lib/
#cp /lib/libexpat.so.1 /jail/httpd/lib/
#cp /usr/lib/libapr-1.so.0 /jail/httpd/lib/
#cp /lib/libpthread.so.0 /jail/httpd/lib/
#cp /lib/libdl.so.2 /jail/httpd/lib/
#cp /lib/libc.so.6 /jail/httpd/lib/
#cp lib/ld-linux-x86-64.so.2 /jail/httpd/lib/
#cp /lib/libuuid.so.1 /jail/httpd/lib/
As discussed earlier, you need some extra libraries. Execute the following
commands to copy the extra libraries:
# cp /lib/libnss_compat* /jail/httpd/lib/
# cp /lib/libnss_dns* /jail/httpd/lib/
# cp /lib/libnss_files* /jail/httpd/lib
Next copy the password and group file to the httpd jail directory. For this,
execute the following command:
# cp /etc/passwd /jail/httpd/etc/
# cp /etc/group /jail/httpd/etc/
We also need to create tmp folder inside the httpd folder, inside the jail
directory:
# mkdir /jail/httpd/tmp
# chmod +t /chroot/apache/tmp# chmod 777 /chroot/apache/tmp
For testing the configuration, start the syslog and httpd daemon. And for
checking whether Apache is running in jail, run the following command:
# ls -la /proc/12314/root/
Your output should be:
dev
etc
home
lib
usr
var
Now you have a formal directory structure and any file that is corrupted
would be traceable within these directories and not outside. In case you have
any doubts or queries, please post them at forums.pcquest.com.