mod_chroot is a module for the apache webserver to easily run the httpd in a chroot (especially important for all the scripts). Because of this scripts cannot effect anything outside the chroot and makes it much more difficult to gain access to a server through the webserver for an attacker.
NOTE: apache-2.2.10 and higher has built in chroot handling and the mod_chroot module should not be used.
Why is it so fancy?
Good thing about this module is that you don’t have to maintain a chroot containing every file the apache httpd may need (libraries, etc.).
- Include a solution to handle sending email from the chroot with PHP mail() function. Several possibilities are available. Didn't test any because I didn't need it myself.
- Add more information for services which might be affected.
- Include information regarding DNS resolving.
Its aimed at my local setup so you might want to change some paths/leave some parts out. I decided to locate the chroot at /var/chroot/apache
Install & Configure
install the module
apt-get install libapache2-mod-chroot
enable the module
set chroot path
echo "ChrootDir /var/chroot/apache" > /etc/apache2/conf.d/mod_chroot
create the chroot directory
mkdir -p /var/chroot/apache
apache needs this to run
mkdir -p /var/chroot/apache/var/run
PHP5 Session stuff
Some PHP5 programs might need this. At least dokuwiki wanted to create some session file (maybe you don't need this)
mkdir -p /var/chroot/apache/var/lib/php5
use chmod to set php5 dir to drwx-wx-wt
Fixing up mod_user
In case you want to user mod_user for the personal webspaces of users (hostname/~username)
/home and /etc/passwd are nessecary in the chroot
mkdir -p /var/chroot/apache/home mkdir -p /var/chroot/apache/etc touch /var/chroot/apache/etc/passwd echo "/home /var/chroot/apache/home none bind 0 0" >> /etc/fstab echo "/etc/passwd /var/chroot/apache/etc/passwd none bind 0 0" >> /etc/fstab
obviously you also have to mount them
ln -s /var/chroot/apache/var/run/apache2.pid /var/run/apache2.pid
Finish it up
restart apache2 to load mod_chroot
If DNS resolving doesn't work you might need to connect to the ip address (127.0.0.1 for localhost). However MySQL sees localhost different from 127.0.0.1 if you connect to it. So in case you only allow clients from localhost in your MySQL configuration, you also need to allow it from 127.0.0.1 seperately.
blog entry: http://users.lichtsnel.nl/~spacey/?p=132
mod_chroot website: http://core.segfault.pl/~hobbit/mod_chroot/