ModChroot

Description mod_chroot

mod_chroot is a module for the apache webserver to easily run the httpd in a chroot (especially important for all the scripts). Because of this scripts cannot effect anything outside the chroot and makes it much more difficult to gain access to a server through the webserver for an attacker.

NOTE: apache-2.2.10 and higher has built in chroot handling and the mod_chroot module should not be used.

Why is it so fancy?

Good thing about this module is that you don’t have to maintain a chroot containing every file the apache httpd may need (libraries, etc.).

TODO

  • Include a solution to handle sending email from the chroot with PHP mail() function. Several possibilities are available. Didn't test any because I didn't need it myself.
  • Add more information for services which might be affected.
  • Include information regarding DNS resolving.

HOWTO

Its aimed at my local setup so you might want to change some paths/leave some parts out. I decided to locate the chroot at /var/chroot/apache

Install & Configure

install the module

apt-get install libapache2-mod-chroot

enable the module

a2enmod mod_chroot

set chroot path

echo "ChrootDir /var/chroot/apache" > /etc/apache2/conf.d/mod_chroot

Build chroot

create the chroot directory

mkdir -p /var/chroot/apache

apache needs this to run

mkdir -p /var/chroot/apache/var/run 

PHP5 Session stuff

Some PHP5 programs might need this. At least dokuwiki wanted to create some session file (maybe you don't need this)

mkdir -p /var/chroot/apache/var/lib/php5

use chmod to set php5 dir to drwx-wx-wt

Fixing up mod_user

In case you want to user mod_user for the personal webspaces of users (hostname/~username)

/home and /etc/passwd are nessecary in the chroot

mkdir -p /var/chroot/apache/home
mkdir -p /var/chroot/apache/etc
touch /var/chroot/apache/etc/passwd
echo "/home /var/chroot/apache/home none bind 0 0" >> /etc/fstab
echo "/etc/passwd /var/chroot/apache/etc/passwd none bind 0 0" >> /etc/fstab

obviously you also have to mount them

Fix apache2ctl

ln -s /var/chroot/apache/var/run/apache2.pid /var/run/apache2.pid

Finish it up

restart apache2 to load mod_chroot

/etc/init.d/apache2 restart

Other notes

MySQL

If DNS resolving doesn't work you might need to connect to the ip address (127.0.0.1 for localhost). However MySQL sees localhost different from 127.0.0.1 if you connect to it. So in case you only allow clients from localhost in your MySQL configuration, you also need to allow it from 127.0.0.1 seperately.

Source

Discussion

ModChroot (last edited 2010-07-21 22:39:20 by joris)