= Description mod_chroot = mod_chroot is a module for the apache webserver to easily run the httpd in a chroot (especially important for all the scripts). Because of this scripts cannot effect anything outside the chroot and makes it much more difficult to gain access to a server through the webserver for an attacker. NOTE: apache-2.2.10 and higher has built in chroot handling and the mod_chroot module should not be used. == Why is it so fancy? == Good thing about this module is that you don’t have to maintain a chroot containing every file the apache httpd may need (libraries, etc.). == TODO == * Include a solution to handle sending email from the chroot with PHP mail() function. Several possibilities are available. Didn't test any because I didn't need it myself. * Add more information for services which might be affected. * Include information regarding DNS resolving. = HOWTO = Its aimed at my local setup so you might want to change some paths/leave some parts out. I decided to locate the chroot at /var/chroot/apache == Install & Configure == === install the module === {{{ apt-get install libapache2-mod-chroot }}} === enable the module === {{{ a2enmod mod_chroot }}} === set chroot path === {{{ echo "ChrootDir /var/chroot/apache" > /etc/apache2/conf.d/mod_chroot }}} == Build chroot == === create the chroot directory === {{{ mkdir -p /var/chroot/apache }}} === apache needs this to run === {{{ mkdir -p /var/chroot/apache/var/run }}} == PHP5 Session stuff == Some PHP5 programs might need this. At least dokuwiki wanted to create some session file (maybe you don't need this) {{{ mkdir -p /var/chroot/apache/var/lib/php5 }}} use chmod to set php5 dir to drwx-wx-wt == Fixing up mod_user == In case you want to user mod_user for the personal webspaces of users (hostname/~username) === /home and /etc/passwd are nessecary in the chroot === {{{ mkdir -p /var/chroot/apache/home mkdir -p /var/chroot/apache/etc touch /var/chroot/apache/etc/passwd echo "/home /var/chroot/apache/home none bind 0 0" >> /etc/fstab echo "/etc/passwd /var/chroot/apache/etc/passwd none bind 0 0" >> /etc/fstab }}} obviously you also have to mount them == Fix apache2ctl == {{{ ln -s /var/chroot/apache/var/run/apache2.pid /var/run/apache2.pid }}} == Finish it up == === restart apache2 to load mod_chroot === {{{ /etc/init.d/apache2 restart }}} = Other notes = == MySQL == If DNS resolving doesn't work you might need to connect to the ip address (127.0.0.1 for localhost). However MySQL sees localhost different from 127.0.0.1 if you connect to it. So in case you only allow clients from localhost in your MySQL configuration, you also need to allow it from 127.0.0.1 seperately. = Source = * blog entry: http://users.lichtsnel.nl/~spacey/?p=132 * mod_chroot website: http://core.segfault.pl/~hobbit/mod_chroot/ = Discussion =