* Patrik Breitenmoser; on 02 Jul, 2002 wrote:
Hi all,
after jailing my bind installation, ist there a howto how to chroot the
apache webserver?
Any link would be great.
First I made a partion for jail and in /etc/fstab
/dev/hda3 /jail ext2 rw,auto,dev,user,exec,suid,atime,async 1 2
This is how I did it with compartment remember to call this from
/etc/init.d/apache
Hope this helps
--
Togan Muftuoglu
Unofficial SuSE FAQ Maintainer
http://dinamizm.ath.cx
#!/bin/sh
# script adapted for apache 20/02/2002 by
# script being changed for apache...1/2001, by
#
# auto_chroot_script for named from the bind8 package and SuSEcompartment v0.8
# (c) 2000 by Marc Heuse
#
#
# compartment call (where this script is /chroot/bin/init_bind8):
# /usr/sbin/compartment --chroot /chroot/bind8 --init /chroot/bin/init_bind8 \
# --cap CAP_NET_BIND_SERVICE --fork --group root /usr/sbin/named
#
CHROOT_DIR="/jail/apache" # chroot directory
OWNER="bin.bin" # user.group owner of all chrooted files
DEV_LOG="/jail/dev/log" # add "-a /chroot/dev/log" to the syslogd start
DIR_LIST_755="/var/tmp /etc/httpd /etc/httpd/modules /lib /usr/lib /usr/bin /bin /dev /usr/local/httpd/htdocs/gif /usr/local/httpd/htdocs /usr/local/httpd/cgi-bin /usr/include/apache /usr/local/httpd/icons /usr/lib/apache /usr/sbin /etc/init.d /webhome /webhome/faq /usr/lib/perl5 "
DIR_LIST_1775="/tmp /var/run /var/lib/httpd /var/log/httpd"
FILE_LIST="/etc/httpd/* \
/etc/httpd/modules/* \
/etc/init.d/apache \
/usr/bin/dbmmanage \
/usr/bin/htdigest \
/usr/bin/htpasswd \
/usr/bin/log_server_status \
/usr/lib/apache/* \
/usr/local/httpd/htdocs/* \
/usr/local/httpd/htdocs/gif/* \
/usr/local/httpd/icons/* \
/usr/local/httpd/icons/small/* \
/usr/sbin/ab \
/usr/sbin/apachectl \
/usr/sbin/httpd \
/usr/sbin/logresolve \
/usr/sbin/rcapache \
/usr/sbin/rotatelogs \
/usr/sbin/suexec \
/usr/bin/perl* \
/usr/lib/perl5/* \
/usr/include/apache/* \
/etc/nsswitch.conf /etc/resolv.conf /etc/services /etc/hosts /dev/null \
/etc/localtime /bin/sh /bin/cat /bin/false /bin/bash /lib/libnss* /etc/mime.types"
CHOWN_ROOT=""
CHGRP_ROOT="$DIR_LIST_1775"
LOGS="access_log error_log faq_access.log faq_error.log ssl_engine_log ssl_scache.dir ssl_scache.pag ssl_request_log"
# start
umask 022
export PATH="/usr/sbin:/sbin:/usr/bin:/bin"
test -d /jail/log || mkdir -p -m 0755 /jail/log
rm -rf "$CHROOT_DIR"
mkdir -p -m 755 "$CHROOT_DIR" || exit 1
cd "$CHROOT_DIR"
for i in $DIR_LIST_755; do
mkdir -p -m 755 "$CHROOT_DIR/$i"
done
for i in $DIR_LIST_1775; do
mkdir -p -m 1775 "$CHROOT_DIR/$i"
done
for i in $FILE_LIST; do
LIB=`ldd $i 2> /dev/null |grep -v "not a "| awk '{print$ 3}'`
cp -a $i "$CHROOT_DIR/$i"
for j in $LIB; do
test -e "$CHROOT_DIR/$j" || cp -p "$j" "$CHROOT_DIR/lib"
done
done
ldconfig -r "$CHROOT_DIR" 2> /dev/null
chown -R $OWNER "$CHROOT_DIR"
for i in $CHOWN_ROOT; do
chown root "$CHROOT_DIR/$i"
done
for i in $CHGRP_ROOT; do
chgrp root "$CHROOT_DIR/$i"
done
test -e "$DEV_LOG" || {
echo "Warning: $DEV_LOG not found. Add \"-a $DEV_LOG\" to the syslogd startup."
exit 1
}
ln "$DEV_LOG" dev/log
cd $CHROOT_DIR
touch etc/passwd etc/group etc/shadow
chmod 400 etc/shadow
echo 'wwwrun:x:888:88:Web Account:/webhome:/bin/false' > etc/passwd
echo 'nogroup:x:888:' > etc/group
echo 'wwwrun:*:10882:-1:99999:-1:-1:-1:134537804' > etc/shadow
# this was by jolugt@suse.com
#
# I don like the idea of having a compiler on the webserver so disabled
#
# echo 'int main(int argc, char *argv[]) { return(1); }' > /tmp/False.c
# cc -o bin/False /tmp/False.c
chmod 111 bin/*
chmod 777 tmp
chmod +t tmp
mknod -m 666 dev/null c 1 3
chown -R wwwrun.nogroup $CHROOT_DIR/usr/local/httpd/htdocs
chown -R wwwrun.nogroup $CHROOT_DIR/webhome
chmod ugo+x $CHROOT_DIR/usr/local/httpd/cgi-bin*
chmod 4711 $CHROOT_DIR/usr/sbin/suexec