# Chrooting Apache, MySQL and BIND

## [ToXiC]

I plan on chrooting the most current versions of Apache, MySQL and BIND. I want to be able to use all and encounter no issues with communication between any of them. What is the best way to do this? I have read all tldp.org information on this and would like some public input or experience.

-[ToXiC]

----------

## delta407

 *[ToXiC] wrote:*   

> I plan on chrooting the most current versions of Apache, MySQL and BIND.

 What's the reason for this? Just curious...

 *[ToXiC] wrote:*   

> I want to be able to use all and encounter no issues with communication between any of them.

 Well, since the above applications only communicate over TCP/IP (with the exception of MySQL, using named pipes by default, but which can be used over TCP), you shouldn't have any problems. But remember that both Apache and BIND neet priviledged ports (80, 53), so they have to be started as root either way.

 *[ToXiC] wrote:*   

> What is the best way to do this?

 I would use djbdns and not worry about chrooting  :Wink: 

Anyway, as a heads-up: if you're looking at moving these services into chroot jails, you probably won't be able to use Portage to manage them.

 *[ToXiC] wrote:*   

> I have read all tldp.org information on this and would like some public input or experience.

 Personally, I would look at the requirements again. See, chroot jails are good in theory -- keeping services isolated so that compromising one does not mean compromising the others -- but it deteriorates in practice. First, a lot of programs aren't run as root (mysqld), and the ones that are drop root privs immediately after acquiring their sockets (Apache, BIND). Thus, if any of those services are compromised, standard UNIX permissions means they haven't taken over your machine. They will only be able to act on behalf of their respective users, which usually can't do anything... unless there's a kernel-level exploit that allows priviledge elevation, in which case a chroot jail usually doesn't help you very much anyway.

So, let's assume someone gains access to Apache. They can read all files that can be read as Apache, which includes (for instance) configuration files for your web-based data-driven application. (After all, the application runs within Apache, so it must be able to read its own config.) Bam! The attacker just stole your database password, and can obtain and/or destroy important, confidential information -- accessing MySQL, even though it was Apache that was compromised. Will a chroot jail help this situation? No.

IMO, the benefits for chroot jails are minimal. They do exist, but in most cases are trivial enough not to matter. Further, the cost associated with chrooting all of your services is high: extra maintenance, figuring out what libraries to copy over, and extreme testing your nonstandard configuration costs time, and time is expensive.

So, think about it.  :Wink: 

----------

## puke

I agree delta407!  However, if you still wish to continue down the path of chrooting apache web server, there is a wealth of info on the interweb.  You could start here.

----------

## loseruser

 *[ToXiC] wrote:*   

> I plan on chrooting the most current versions of Apache, MySQL and BIND. I want to be able to use all and encounter no issues with communication between any of them. What is the best way to do this? I have read all tldp.org information on this and would like some public input or experience.
> 
> -[ToXiC]

 

I was curious what you ended up doing with the Apache & MySQL stuff.  I already run my dhcp & dns servers in chroot jails (it was easy as USE="chroot" emerge bind dhcp).  I've thought about putting them in jails before, I just didn't know if it came out of portage that way and I don't want to have to do it m'self if I don't have to.

----------

## febs

When I do a 

emerge -pv bind

the "chroot" USE flag does not show up in the list.

It is no more there for some reason, or it just does not shows up for some other?

TY

----------

