Securing-Optimizing-RH-Linux-1_2_384
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
384
The following are the necessary steps to run Apache Web Server in a chroot jail:
Step 1
We must find the shared library dependencies of httpd. These will need to be copied into the
chroot jail later.
·
To find the shared library dependencies of httpd, execute the following command:
[root@deep /]# ldd /usr/sbin/httpd
libpam.so.0 => /lib/libpam.so.0 (0x40016000)
libm.so.6 => /lib/libm.so.6 (0x4001f000)
libdl.so.2 => /lib/libdl.so.2 (0x4003b000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4003e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4006b000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40081000)
libdb.so.3 => /lib/libdb.so.3 (0x40090000)
libc.so.6 => /lib/libc.so.6 (0x400cb000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Make a note of the files listed above; you will need these later in our steps.
Step 2
Add a new UID and a new GID if this is not already done for running Apache httpd. This is
important because running it as root defeats the purpose of the jail, and using a different UID that
already exists on the system (i.e. nobody) can allow your services to access each others'
resources. Consider the scenario where a web server is running as nobody or any other overly
used UID/GID and compromised. The cracker can now access any other processes running as
nobody from within the chroot.
These are sample UID/GID. Check the /etc/passwd and /etc/group files for a free UID/GID
number. In our configuration we'll use the numerical value 80 and UID/GID www.
[root@deep /]# groupadd -g 80 www
[root@deep /]# useradd -g 80 -u 80 www
The above commands will create the group www with the numerical GID value 80, and the user
www with the numerical UID value 80.
Step 3
Set up the chroot environment. First we need to create the chrooted Apache structure. We use
/chroot/httpd for the chrooted Apache. The /chroot/httpd is just a directory on a different
partition where we've decided to put apache for more security.
[root@deep /]# /etc/rc.d/init.d/httpd stop only if Apache is already installed and run on your system.
Shutting down http: [ OK ]
[root@deep /]# mkdir /chroot/httpd
Next, create the rest of directories like the following:
[root@deep /]# mkdir /chroot/httpd/dev
[root@deep /]# mkdir /chroot/httpd/lib
[root@deep /]# mkdir /chroot/httpd/etc
[root@deep /]# mkdir -p /chroot/httpd/usr/sbin
[root@deep /]# mkdir -p /chroot/httpd/var/run
[root@deep /]# mkdir -p /chroot/httpd/var/log/httpd
[root@deep /]# chmod 750 /chroot/httpd/var/log/httpd/