Chrooting Apache2 With mod_chroot On CentOS 5.4
Author: Falko Timme
Follow me on Twitter
This guide explains how to set up mod_chroot with Apache2 on a CentOS 5.4 system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm assuming that you have a running CentOS 5.4 system with a working Apache2, e.g. as shown in this tutorial: The Perfect Server - CentOS 5.4 x86_64 [ISPConfig 2]. In addition to that I assume that you have one or more web sites set up within the /var/www directory (e.g. if you use ISPConfig).
2 Installing mod_chroot
There's no mod_chroot package for CentOS 5.4, therefore we must build it ourselves. First we install the prerequisites:
yum groupinstall 'Development Tools'
yum groupinstall 'Development Libraries'
yum install httpd-devel
Now we build mod_chroot as follows:
tar xvfz mod_chroot-0.5.tar.gz
apxs -cia mod_chroot.c
Then we restart Apache:
3 Configuring Apache
I want to use the /var/www directory as the directory containing the chroot jail. CentOS' Apache uses the PID file /var/run/httpd.pid; when Apache is chrooted to /var/www, /var/run/httpd.pid translates to /var/www/var/run/httpd.pid. Therefore we create that directory now:
mkdir -p /var/www/var/run
chown -R root:apache /var/www/var/run
Now we must tell Apache that we want to use /var/www as our chroot directory. We open /etc/httpd/conf/httpd.conf, and right below the PidFile line, we add the line ChrootDir /var/www; also comment out the PidFile run/httpd.pid line and add the line PidFile /var/run/httpd.pid:
[...] # # PidFile: The file in which the server should record its process # identification number when it starts. # #PidFile run/httpd.pid PidFile /var/run/httpd.pid ChrootDir /var/www [...]
Next we must tell our vhosts that the document root has changed (for example, a DocumentRoot /var/www translates now to DocumentRoot /). We can do this either by changing the DocumentRoot directive of each vhost, or more easier, by creating a symlink in the file system.
3.1 First Method: Changing The DocumentRoot
Let's assume we have a vhost with DocumentRoot /var/www. We must now open the vhost configuration of that vhost and change DocumentRoot /var/www to DocumentRoot /. Accordingly, DocumentRoot /var/www/web1/web would now translate to DocumentRoot /web1/web, and so on. If you want to use this method, you must change the DocumentRoot for every single vhost.
3.2 Second Method: Creating A Symlink In the File System
This method is easier, because you have to do it only once and don't have to modify any vhost configuration. We create a symlink pointing from /var/www/var/www to /var/www:
mkdir -p /var/www/var
ln -s ../../ www
Finally, we have to stop Apache, create a symlink from /var/run/httpd.pid to /var/www/var/run/httpd.pid, and start it again:
ln -sf /var/www/var/run/httpd.pid /var/run/httpd.pid
That's it. You can now call your web pages as before, and they should be served without problems, as long as they are static HTML files or using mod_php.
If you are using CGI, e.g. Perl, suPHP, Ruby, etc., then you must copy the interpreter (e.g. /usr/bin/perl, /usr/sbin/suphp, etc.) to the chroot jail together with all libraries needed by the interpreter. You can find out about the required libraries with the ldd command, e.g.
[server2:/var/www/web1/log]# ldd /usr/sbin/suphp
linux-gate.so.1 => (0xffffe000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7e34000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7e0f000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7e03000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7cd2000)
If you've copied all required files, but the page still isn't working, you should take a look at the Apache error log. Usually it tells you where the problem is. Also read http://core.segfault.pl/~hobbit/mod_chroot/caveats.html for known problems and solutions.