There is a new revision of this tutorial available for Debian 8 (Jessie).
This tutorial exists for these OS versions
On this page
Chrooting Apache2 With mod_chroot On Debian Etch
Author: Falko Timme
This guide explains how to set up mod_chroot with Apache2 on a Debian Etch system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm assuming that you have a running Debian Etch system with a working Apache2, e.g. as shown in this tutorial: The Perfect Setup - Debian Etch (Debian 4.0). In addition to that I assume that you have one or more web sites set up within the /var/www directory (e.g. if you use ISPConfig).
2 Installing mod_chroot
To install mod_chroot, we simply run:
apt-get install libapache2-mod-chroot
Then we enable mod_chroot and restart Apache:
3 Configuring Apache
I want to use the /var/www directory as the directory containing the chroot jail. Debian's Apache uses the PID file /var/run/apache2.pid; when Apache is chrooted to /var/www, /var/run/apache2.pid translates to /var/www/var/run/apache2.pid. Therefore we create that directory now:
mkdir -p /var/www/var/run
chown -R root:root /var/www/var/run
Now we must tell Apache that we want to use /var/www as our chroot directory. We open /etc/apache2/apache2.conf, and right below the PidFile line, we add a ChrootDir line:
[...] # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFile /var/run/apache2.pid ChrootDir /var/www [...]
Next we must tell our vhosts that the document root has changed (for example, a DocumentRoot /var/www translates now to DocumentRoot /). We can do this either by changing the DocumentRoot directive of each vhost, or more easier, by creating a symlink in the file system.
3.1 First Method: Changing The DocumentRoot
Let's assume we have a vhost with DocumentRoot /var/www. We must now open the vhost configuration of that vhost and change DocumentRoot /var/www to DocumentRoot /. Accordingly, DocumentRoot /var/www/web1/web would now translate to DocumentRoot /web1/web, and so on. If you want to use this method, you must change the DocumentRoot for every single vhost.
3.2 Second Method: Creating A Symlink In the File System
This method is easier, because you have to do it only once and don't have to modify any vhost configuration. We create a symlink pointing from /var/www/var/www to /var/www:
mkdir -p /var/www/var
ln -s ../../ www
Finally, we have to stop Apache, create a symlink from /var/run/apache2.pid to /var/www/var/run/apache2.pid, and start it again:
ln -s /var/www/var/run/apache2.pid /var/run/apache2.pid
That's it. You can now call your web pages as before, and they should be served without problems, as long as they are static HTML files or using mod_php.
If you are using CGI, e.g. Perl, suPHP, Ruby, etc., then you must copy the interpreter (e.g. /usr/bin/perl, /usr/sbin/suphp, etc.) to the chroot jail together with all libraries needed by the interpreter. You can find out about the required libraries with the ldd command, e.g.
server2:/var/www/web1/log# ldd /usr/sbin/suphp
linux-gate.so.1 => (0xffffe000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7e34000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7e0f000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7e03000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7cd2000)
If you've copied all required files, but the page still isn't working, you should take a look at the Apache error log. Usually it tells you where the problem is. Also read http://core.segfault.pl/~hobbit/mod_chroot/caveats.html for known problems and solutions.