HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_384
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 384 The following are the necessary steps to run Apache Web Server in a chroot jail: Step 1 We must find the shared library dependencies of httpd. These will need to be copied into the chroot jail later. · To find the shared library dependencies of httpd, execute the following command: [root@deep /]# ldd /usr/sbin/httpd libpam.so.0 => /lib/libpam.so.0 (0x40016000) libm.so.6 => /lib/libm.so.6 (0x4001f000) libdl.so.2 => /lib/libdl.so.2 (0x4003b000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4003e000) libnsl.so.1 => /lib/libnsl.so.1 (0x4006b000) libresolv.so.2 => /lib/libresolv.so.2 (0x40081000) libdb.so.3 => /lib/libdb.so.3 (0x40090000) libc.so.6 => /lib/libc.so.6 (0x400cb000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Make a note of the files listed above; you will need these later in our steps. Step 2 Add a new UID and a new GID if this is not already done for running Apache httpd. This is important because running it as root defeats the purpose of the jail, and using a different UID that already exists on the system (i.e. nobody) can allow your services to access each others' resources. Consider the scenario where a web server is running as nobody or any other overly used UID/GID and compromised. The cracker can now access any other processes running as nobody from within the chroot. These are sample UID/GID. Check the “/etc/passwd” and “/etc/group” files for a free UID/GID number. In our configuration we'll use the numerical value “80” and UID/GID “www”. [root@deep /]# groupadd -g 80 www [root@deep /]# useradd -g 80 -u 80 www The above commands will create the group “www” with the numerical GID value 80, and the user “www” with the numerical UID value 80. Step 3 Set up the chroot environment. First we need to create the chrooted Apache structure. We use “/chroot/httpd” for the chrooted Apache. The “/chroot/httpd” is just a directory on a different partition where we've decided to put apache for more security. [root@deep /]# /etc/rc.d/init.d/httpd stop only if Apache is already installed and run on your system. Shutting down http:                                        [  OK  ] [root@deep /]# mkdir /chroot/httpd Next, create the rest of directories like the following: [root@deep /]# mkdir /chroot/httpd/dev [root@deep /]# mkdir /chroot/httpd/lib [root@deep /]# mkdir /chroot/httpd/etc [root@deep /]# mkdir -p /chroot/httpd/usr/sbin [root@deep /]# mkdir -p /chroot/httpd/var/run [root@deep /]# mkdir -p /chroot/httpd/var/log/httpd [root@deep /]# chmod 750 /chroot/httpd/var/log/httpd/