Chrooting Apache and PHP

General Information

Chrooting has been around for a long time now. chausson ugg asics kinsei Chrooting makes a program believe that the root of the file system is higher up in the hierarchy. ugg homme basket nike tn ugg homme For example, if I wanted to create a chroot in /chroot/httpd, a program executed from within the chroot would believe that “/chroot/httpd” was actually “/”. Adidas Gazelle Soldes There in lies the beauty as the program can’t reach any files outside “/chroot/httpd”. basket nike tn soldes Security of the server as a whole is increased due to the fact that the system binaries are off limits. 2018 nike air max In addition, chroots usually only have the bare minimum files inside, so exploits have a harder time breaking in.

Chroots can be broken out of. adidas ultra boost ugg pas cher nike air max 90 homme On FreeBSD, jail can also be used. nike huarache 2018 nike air max nike requin Jail does the same as chroot, but on top of what chroot does, jail restricts what a process can do. 2018 nike air max One of the benefits of OpenBSD is the fact that apache comes chrooted by default, which is nice. new balance gris But, that’s not going to stop NetBSD or FreeBSD from doing this also.

So, why chroot instead of jail? Jailing processes is actually a simple task. chaussure timberland homme Basically I want to help you out with 2 areas in this article. 2018 nike air max The first is to get apache and php chrooted while working with a chrooted mysql. adidas homme And the second, I hope you can figure out from this how to chroot your own processes. asics basket ugg boots bailey Once you figure out how to setup chroot trees, configuring jails should not be a challenge for you at all.


Lets start off by installing apache with mod_ssl and create our SSL certificates.

 # cd /usr/ports/www/apache13-modssl # make # make certificate TYPE=custom # make install 

Next we set a variable of where we wish to place it. To help avoid unnecessary typing, it’s recommended that you have your chroot directory on its own disklabel. Soldes Chaussures Adidas timberland pas cher This way you can place further restrictions in the /etc/fstab file.

 # TGT=/chroot/httpd 


Now we need to prepare our directory structure for the chroot.

 # cd $TGT # mkdir dev # mkdir etc # mkdir tmp # mkdir -p var/run # mkdir -p usr/lib # mkdir usr/libexec # mkdir -p usr/local/www/ # mkdir usr/local/lib # mkdir -p usr/local/etc/apache # mkdir -p usr/local/libexec/apache # mkdir -p usr/local/www/data # mkdir usr/local/www/vhosts # mkdir usr/local/sbin # mkdir -p usr/X11R6/lib # mkdir var/log 

Next, there are a few devices we need in our dev directory in which apache needs. asics gel lyte 3 We will use the mknod for this task.

 # mknod $TGT/dev/null c 2 2 # chown root:sys $TGT/dev/null # chmod 666 $TGT/dev/null # mknod $TGT/dev/random c 2 3 # chown root:wheel $TGT/dev/random # chmod 755 $TGT/dev/random # cd $TGT/dev # ln -s random urandom # vi /etc/rc.conf 

Add the following line in so we can get some logging going on.

 syslogd_flags="-l /chroot/httpd/dev/log" # Or Where your target resides 

Now there are a few methods we can use to figure out what files we need for our chroot: ldd, truss, and strings are amongst the most commonly used. I’ll go over ldd and strings here.

 # ldd /usr/local/sbin/httpd /usr/local/sbin/httpd: => /usr/lib/ (0x280c6000) => /usr/local/lib/ (0x280df000) => /usr/lib/ (0x280e3000) # strings /usr/local/sbin/httpd | grep lib /usr/libexec/ 

Those commands will display the required libraries. timberland earthkeepers bottes Next, we need to copy those required libraries over to our chroot.

 # install -C /usr/local/sbin/httpd $TGT/usr/local/sbin # install -C /var/run/ $TGT/var/run/ # install -C /usr/lib/ $TGT/usr/lib/ # install -C /usr/lib/ $TGT/usr/lib/ # install -C /usr/libexec/ $TGT/usr/libexec/ # install -C /usr/local/lib/ $TGT/usr/local/lib/ # install -C /usr/local/lib/ $TGT/usr/local/lib/ # cp /etc/hosts $TGT/etc/ # cp /etc/resolv.conf $TGT/etc/ # cp /etc/group $TGT/etc/ # cp /etc/master.passwd $TGT/etc/passwords 

Remove everything inside the group and passwords file except for the user/group www and nobody/nogroup

 # vi $TGT/etc/group # vi $TGT/etc/passwords # cd $TGT/etc # pwd_mkdb -p -d $TGT/etc passwords # rm -f $TGT/etc/master.passwd # cp -Rvp /usr/local/etc/apache/* $TGT/usr/local/etc/apache/ 

Now, before we get into too much else, go ahead and install php and any other apache modules, which you require or need.

Once that’s done let’s get those modules inside the chroot tree.

 # cp -Rvp /usr/local/libexec/apache/* $TGT/usr/local/libexec/apache/ 

Now php can be a pain depending upon what options you gave it to install. timberland pas cher So we’re going to determine what libraries php needs just like we did with apache.

 # ldd /usr/local/libexec/apache/ /usr/local/libexec/apache/ => /usr/local/lib/ (0x2833d000) => /usr/local/lib/ (0x28441000) => /usr/lib/ (0x28472000) => /usr/local/lib/ (0x2848b000) => /usr/local/lib/ (0x28542000) 

Those are just a few. I’m sure your list is much longer. ugg pas cher So we need to ensure these libraries are inside our chroot tree.

 # install -C /usr/local/lib/ $TGT/usr/local/lib/ # install -C /usr/local/lib/ $TGT/usr/local/lib/ # install -C /usr/lib/ $TGT/usr/lib/ # install -C /usr/local/lib/ $TGT/usr/local/lib/ # install -C /usr/local/lib/ $TGT/usr/local/lib/ 

And so on…Or, if you wish to take the lazy-man’s approach, you could run this:

 # ldd /usr/local/libexec/apache/ | awk {' print $3 '} | \ # grep '/usr/lib' | xargs -J % install -C % $TGT/usr/lib/ # ldd /usr/local/libexec/apache/ | awk {' print $3 '} | \ # grep '/usr/local/lib' | xargs -J % install -C % $TGT/usr/local/lib/ # ldd /usr/local/libexec/apache/ | awk {' print $3 '} | \ # grep '/usr/X11R6' | xargs -J % install -C % $TGT/usr/X11R6/lib/ 

Now, just to show you how great of a tool xargs is, let’s use it to run the same thing on all the apache modules. Asics 2017 (I would like to thank for teaching me that this wonderful command existed.)

 # ldd /usr/local/libexec/apache/* | grep '=>' | awk {' print $3 '} | \ # grep '/usr/lib' | xargs -J % install -C % $TGT/usr/lib/ # ldd /usr/local/libexec/apache/* | grep '=>' | awk {' print $3 '} | \ # grep '/usr/local/lib' | xargs -J % install -C % $TGT/usr/local/lib/ # ldd /usr/local/libexec/apache/* | grep '=>' | awk {' print $3 '} | \ # grep '/usr/X11R6/lib' | xargs -J % install -C % $TGT/usr/X11R6/lib/ 

Now let’s try to fire it up.

 # chroot $TGT /usr/local/sbin/httpd 

Well, that seems to have worked. ugg australia classic Now we need to integrate mysql into this. This is really simple.

 # cp /etc/my.cnf $TGT/etc/ # ln /chroot/mysql/tmp/mysql.sock $TGT/tmp/mysql.sock 

It should be working now. Just edit your configurations to your desire and enjoy.

Speak Your Mind