# apache in chrooted jail. [Solved]

## KWhat

ok i have followed this guide (http://gentoo-wiki.com/Apache_chroot:_the_mod_security_way#Building_the_jail) and managed to get apache and mysql running in a chrooted jailed env however apache will not load my vhosts for some reason returns (52) Empty reply from server.

apache error.log

```

[Tue Apr 17 16:53:27 2007] [notice] mod_security: chroot checkpoint #1 (pid=24940 ppid=24936)

[Tue Apr 17 16:53:27 2007] [notice] mod_security/1.9.4 configured

[Tue Apr 17 16:53:27 2007] [notice] mod_security: chroot successful, path=/wwwjail

[Tue Apr 17 16:53:27 2007] [notice] Apache configured -- resuming normal operations

[Tue Apr 17 23:53:38 2007] [notice] child pid 24943 exit signal Segmentation fault (11)

```

vhost.conf file

```

<VirtualHost _default_:80>

        DocumentRoot /wwwjail/default/wwwroot

</VirtualHost>

```

I am at a loss as to what the heck is going on with this thing.

thanksLast edited by KWhat on Wed Apr 18, 2007 10:17 pm; edited 1 time in total

----------

## sn4rf3r

can you post the relevant portions of http.conf, conf.d/apache2, and /etc/apache2/modules/99_mod_security.conf ?

----------

## KWhat

```
99_mod_security.conf

<IfDefine SECURITY>

  <IfModule !mod_security.c>

    LoadModule security_module    modules/mod_security.so

  </IfModule>

</IfDefine>

# Examples below are taken from the online documentation

# Refer to:

# http://www.modsecurity.org/documentation/quick-examples.html

<IfModule mod_security.c>

  # Include mod secuirty configs

  #Include /etc/apache2/modules.d/mod_security_rules/*.conf

  # Point to chroot folder

  SecChrootDir /wwwjail

</IfModule>

```

/etc/conf.d/apache2

```
APACHE2_OPTS="-D SECURITY -D DEFAULT_VHOST -D PHP5"
```

httpd.conf is pretty generic and long...

----------

## KWhat

*** Update:

Looks like mpm-peruser is messing with apache.... should have payed attention to that big fat warning =)

I am going to tinker with it, maybe if its compiled with apache i have to configure it.

----------

## sn4rf3r

use prefork or worker instead. i have had success with prefork + php4/5

----------

## KWhat

need the access restrictions for peruser.  I managed to figure it out, if you have peruser disabled in the conf.d/apache2 file it still causes some issues.  After adding it back in and doing the actual config for the jailroot everything worked fine.

----------

## KWhat

This is a very rough guide to what i did to get the box working if anyone else wants to try.  Peruser if very new, has a lot of bugs, and the documentation is non existent.   

First login as root.

# su

You must setup a jail root.  I prefer setting up /wwwjail or something 

to that effect.

#mkdir /wwwjail

Now setup a jail user for the web developer.  I followed the guide at:

http://gentoo-wiki.com/HOWTO_Jail  You could also use a package called jailkit 

although there is no direct gentoo support.

Install Jail

# emerge -av jail

Add a group for the jailed user.

groupadd wwwdev

Add a jailed user.  This adds a system account for the user.

# useradd -g wwwdev -d /wwwjail -s /usr/bin/jail wwwdev

Create the files for the jail env

# mkjailenv /wwwjail

Add our user to the jai.  This adds a jail account for the user.

# addjailuser /wwwjail / /bin/bash wwwdev

Add very very basic commands and software to our jail

# addjailsw /wwwjail -D

Add a shell to our jail so our wwwdev user can login and do things.

# addjailsw /wwwjail -P bash

if you are using gentoo fix some broken libs

# cp /lib/ld-linux.so.2 /var/chroot/lib/

Add some bash specific things to make things look nice.

# mkdir /wwwjail/etc/bash 

# cp /etc/bash/bashrc /wwwjail/etc/bash/

# cp /etc/profile /wwwjail/etc/

# cp /etc/DIR_COLORS /wwwjail/etc/

Add whoami to the jail

# addjailsw /wwwjail -P whoami

Add ssmtp mail deamon to the jail.

You need merge ssmtp into the jail manually.  Instructions are located in the chroot wiki guide for apache.

Now we move on to setting up apache.  Again for gentoo we used the following 

guides: 

http://gentoo-wiki.com/Apache_chroot:_the_mod_security_way

http://gentoo-wiki.com/Apache_Modules_mod_security

**Note you can skip the creating the chrooted env in the Apache chroot: the mod security way

document above!  Our enviroment was already created when we jailed the user.

You need to setup or compile apache with mpm-peruser support.  Do not use any 

other mpm or threads!  

# USE="apache2 mpm-peruser ssl" emerge -av apache

Edit the /etc/conf.d/apache2 file and add -D PERUSER to APACHE2_OPTS line.

Edit apache init.d scripts as outlined at the link location above.

Note that you need a porcessor in httpd.conf file for each vhost or each apache env you want to run as a different user.

  Processor apache apache /wwwjail

  Processor apache default /wwwjail

  Processor apache survey /wwwjail

  Processor apache portal /wwwjail

  Processor apache trackit /wwwjail

Then in each of the vhost settings you need to add in the appropriate ServerEnvironment

<IfModule peruser.c>

        # this must match a Processor

        ServerEnvironment apache default /wwwjail

        # these are optional - defaults to the values specified above

        MinSpareProcessors 4

        MaxProcessors 20

</IfModule>

Move /etc/apache2 to /wwwjail/etc and symbolic link /etc/apache2 to the chrooted 

location (also outlined at link above)

Also you must isntall mod_security for apache2.  At the time of writing the 

document the best gentoo had to offer was mod_secuirty 1.9.4.  I believe 2.0 is 

avalible but did not work with gentoo and so it is untested!  Make sure you 

configure mod_security as specified above.  Version 1.9.4 conf files are incuded 

with this file.

# emerge -av mod_security

Make suer you disable suexec2!  This is a security issue and probably shouldnt 

be enabled by default!

# chmod u-s /usr/sbin/suexec2

Now, you need to setup groups for each of your vhosts.  And each vhost root 

should be setup as chown -Rvf wwwdev:<vhost_grp> /path/to/vhost_root && 

chmod -Rvf o-rwx /path/to/vhost_root.

After setting up the httpd.conf file and also setting up the vhost conf files 

we should be good to go.

One last thing.  Edit the /wwwjail/etc/passwd file and make the users home 

directory the /path/to/vhost_root so the web deveoloper doesnt get confused =)Last edited by KWhat on Thu May 03, 2007 3:47 pm; edited 1 time in total

----------

## sn4rf3r

Great! thanks for the update.

----------

## KWhat

I wrote up the install in the wiki.  It goes into much more detail.

http://gentoo-wiki.com/Apache:_mpm-peruser_and_apache_chroot

----------

## ppoudrier

I'll sugges that you use virtual server instead of chroot, it's much easier to maintain and more secure.

If you need informations, see there

http://www.gentoo.org/proj/en/vps/vserver-howto.xml

----------

