Securing-Optimizing-RH-Linux-1_2_387
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
387
Step 9
Copy the localtime file to the jail so that log entries are adjusted for your local timezone properly:
[root@deep /]# cp /etc/localtime /chroot/httpd/etc/
Step 10
Remove unnecessary Apache files and directories:
[root@deep /]# rm -rf /var/log/httpd/
[root@deep /]# rm -rf /etc/httpd/
[root@deep /]# rm -rf /home/httpd/
[root@deep /]# rm -f /usr/sbin/httpd
We can remove safety all the above files and directories since there are now locate under our
chroot jail directory.
Step 11
Tell syslogd about the new chrooted service.
Normally, processes talk to syslogd through /dev/log. As a result of the chroot jail, this won't be
possible, so syslogd needs to be told to listen to /chroot/httpd/dev/log. To do this, edit the syslog
startup script to specify additional places to listen.
Edit the syslog script (vi /etc/rc.d/init.d/syslog) to change the line:
daemon syslogd -m 0
To read:
daemon syslogd -m 0 -a /chroot/httpd/dev/log
Step 12
The defaults httpd script file of Apache start the daemon httpd outside the chroot jail, we must
change it to start httpd from the chroot jail. Edit the httpd script file (vi /etc/rc.d/init.d/httpd) and
change the line:
daemon httpd
To read:
/usr/sbin/chroot /chroot/httpd/ /usr/sbin/httpd -DSSL
rm -f /var/run/httpd.pid
To read:
rm -f /chroot/httpd/var/run/httpd.pid
Step 13
Finally, we must test the new chrooted jail configuration of our Apache Web Server.
·
The first thing to do is to restart our syslogd daemon with the following command:
[root@deep /]# /etc/rc.d/init.d/syslog restart
Shutting down kernel logger:
[ OK ]
Shutting down system logger:
[ OK ]
Starting system logger:
[ OK ]
Starting kernel logger:
[ OK ]
·
Now, start the new chrooted jail Apache with the following command: