Comments on Chrooting Apache2 With mod_chroot On Debian Lenny

Chrooting Apache2 With mod_chroot On Debian Lenny This guide explains how to set up mod_chroot with Apache2 on a Debian Lenny system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications.

2 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Rob
Reply  

I'm not running ISPConfig, but I do have a fairly standard setup of apache2 (2.2.9) on Debian Lenny. These instructions break it in a maddening manner.

 My ServerRoot is /etc/apache2; vhost configs are set up in the usual way under /etc/apache2/sites-available (and ./sites-enabled); the site files themselves are under /srv/www/(sitename)/public_html, etc.

 So, my vhost config files need to look like this:

<VirtualHost *:80>
    ServerName domain.com
    DocumentRoot /domain.com/public_html/
    ErrorLog /srv/www/domain.com/logs/error.log
    CustomLog /srv/www/domain.com/logs/access.log combined
    <Location />
        AuthUserFile /domain.com/.htpasswd
        AuthName "Access restricted to domain.com developers"
        AuthType Basic
        require valid-user
    </Location>
    SetEnv TMPDIR /domain.com/tmp/
    php_admin_value open_basedir /domain.com/:/usr/bin/pdftk
    php_admin_value upload_tmp_dir /domain.com/tmp/
</VirtualHost>

 

 Note the goofy mix of chroot'd and not-chroot'd directories. The chroot'd DocumentRoot will trigger warnings when apache2 is started; if you ignore those, then everything appears to work OK. However, if the ErrorLog directive uses a chroot'd path, then those warnings somehow trigger a fatal error that causes apache2 to not start at all. (This makes debugging this a real adventure.) But, once it's running, the non-chroot'd paths for both ErrorLog and CustomLog seem to work just fine.

 I've verified that the DocumentRoot, ErrorLog, CustomLog, and AuthUserFile directives all work with this setup. I'm not sure about the rest.

It's possible there's something seriously wrong with my setup, but everything's been working great for months (until now), so if there is, I don't know what it is.

By: max
Reply  

Hi,

I am new to chrooting, so I apologise in advance if I ask silly questions. I have followed your tutorial, but now I can't run my phpMyAdmin. I installed it in /usr/local/phpMyAdmin and created a symbolic link to /var/www

As a consequence I am getting error 403 when I try to connect to it.

What am I doing wrong?

Max

P.S. I am running Debian GNU/Linux version 5.0.7