# [HOWTO] Chrooting Apache2

## ka0ttic

[HOWTO] Chrooting Apache2

UPDATE:  Thanks go to David Stanek for converting the document to the same format as Gentoo's documents. 

Some folks on the gentoo-web-user mailing list requested this, but I figured I'd release it to the masses too   :Razz: 

It is available at http://butsugenjitemple.org/~ka0ttic/docs/apache_chroot/.

Please try it out and give feedback so that I may improve the document.

----------

## mli

Thanks for a great howto, I got my apache chrooted nicely.

I noticed that apache2splitlogfile does not work properly and made apache slow down almost immediately without perl (addjailsw /chroot/apache -P /usr/bin/perl) inside chroot.

Some questions: 

I have mod_php installed and after chrooting there were about ~15-20 libs missing from /chroot/apache/usr/lib and /chroot/apache/lib. I copied those libs to the right location manually but it was pretty slow, is possible to make this automatically with jail somehow?

/chroot/apache/etc/shadow contains crypted root password, should I manually edit that to * and maybe change roots shell from /bin/bash to /bin/false in /chroot/apache/etc/passwd?

----------

## placeholder

Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.

----------

## ka0ttic

 *Pwnz3r wrote:*   

> Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.

 

I cannot say with 100% certainty, as I am not a security expert, but I would take that with a grain of salt.  The main parent apache process runs as root, which means if apache has a bug somewhere that can be exploited it is possible to gain root priviledges.  

There is a reason that one of (if not the) most secure operating systems on this planet (OpenBSD) runs apache chroot'ed by default.

Even if it wasn't possible, wouldn't you still feel better knowing that if for some reason someone gained root access, the most harm they could do would be deleting files inside the chroot environment?

OTOH, running apache in a chroot probably isn't for the faint-hearted.  You'll run into a problem now and then, and might have to modify things to adapt to the chroot env.  And on top of that it makes it harder to administer.  For example, if you have user aliases setup, the files must be inside the chroot env, and you can then link the public_html to their home dir (or even better just make their homedir ${chroot_path}/home/username).  It's definitely more of a PITA to administer. 

Cheers

----------

## ka0ttic

 *mli wrote:*   

> Thanks for a great howto, I got my apache chrooted nicely.
> 
> I noticed that apache2splitlogfile does not work properly and made apache slow down almost immediately without perl (addjailsw /chroot/apache -P /usr/bin/perl) inside chroot.
> 
> Some questions: 
> ...

 

I haven't really messed with extra apache modules inside the chroot env so I cannot offer much help in that regard.  Some work and some don't.  The best advice I can think of is to google around and see if you can find any other people that have tried to run mod_php inside a chroot env.

As far as the root password goes, it definitely wouldn't hurt to do that.  I wouldn't think it would matter, but you never can know.

----------

## Torin_

```

Init scripts 

Well, hopefully everything worked ok. If so, then download the Init scripts. 

Code listing 2.13

# cp /etc/conf.d/apache2 /etc/conf.d/apache2.chroot

# cp /etc/init.d/apache2 /etc/init.d/apache2.chroot

/etc/conf.d/apache2.chroot (download) 

Change APACHE_CHROOTDIR to your chroot environment (or leave alone if you used the same path as I did in this document). 

Change PIDFILE to 'PIDFILE=${APACHE_CHROOTDIR}/var/run/apache2.pid' 

/etc/init.d/apache2.chroot (download)

```

Thats on the website, but there's no files to download.

----------

## ka0ttic

 *Torin_ wrote:*   

> 
> 
> ```
> 
> Init scripts 
> ...

 

Fixed & Updated.  Thanks.

----------

## vdboor

 *ka0ttic wrote:*   

> The main parent apache process runs as root, which means if apache has a bug somewhere that can be exploited it is possible to gain root priviledges.
> 
> There is a reason that one of (if not the) most secure operating systems on this planet (OpenBSD) runs apache chroot'ed by default.
> 
> Even if it wasn't possible, wouldn't you still feel better knowing that if for some reason someone gained root access, the most harm they could do would be deleting files inside the chroot environment?

 

In case you're wondering: it is possible to run apache without a root process, I've managed to get my apache server running completely as normal user: https://forums.gentoo.org/viewtopic.php?t=188692

 *Pwnz3r wrote:*   

> Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.

 

There is one important thing to know: chrooting doesn't protect you from everything... In BSD, they have a jail() function that also restricts the process from communicating with other processes.. A chroot() in Linux does not do this, the root process can freely communicate with the other non-chrooted processes. This opens the possibility to use vulnerabilities in those processes to break out of the chroot-ed environment.

A chroot does have another advantage however: the attacker can't use tools located outsite of the chroot-ed environment, or tools having vulnerabilities that can be abused to gain privileges.

----------

## vdboor

ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)

I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me..  :Confused: 

----------

## vdboor

ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)

I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me..  :Confused: 

----------

## vdboor

ka0ttic, I was wondering about something:

In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)

I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me..  :Confused: 

----------

## ka0ttic

 *vdboor wrote:*   

> ka0ttic, I was wondering about something:
> 
> In your tutorial you explained something about installing Perl in the chroot, but to my best knowlegde, a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)
> 
> I may be ignorant, or perhaps this is an issue of the past, but I hope someone can clarefy this mistery for me.. 

 

You're right.  I've never thought about that.  Good thing Grsecurity exists ;p  if you have chroot restrictions enabled, you can not chroot() inside a chroot.  Otherwise, it probably wouldn't be the best of ideas to have perl inside the chroot env.

----------

## idoneus

 *vdboor wrote:*   

> a Perl interpreter or c-compiler enables attachers to break out of a chroot.. (because both perl and C/C++ allow you to call the chroot() function again)

 

AFAIK you still need root privileges to call the chroot command.

----------

## Torin_

I think that the init script is a little buggy becouse I have something like that:

```

root@deception /home/torin # /etc/init.d/apache2.chroot start

: command not found line 2: 

: command not found line 4: 

: command not found line 10: 

: command not found line 12: 

: command not found line 15: 

: command not found line 29: 

: command not found line 31: 

: command not found line 37: 

: command not found line 40: 

: command not found line 45: 

: command not found line 49: 

 * Re-caching dependency info (mtimes differ)...

/etc/apache2/conf/apache2.confn file: /etc/chroot/apache

```

Could someone comment that and give any clues what's wrong ?

----------

## mli

Here are the files I had to copy inside chroot for php to work properly:

```
cp /usr/lib/apache2-extramodules/libphp4.so /chroot/apache/usr/lib/apache2-extramodules/libphp4.so

cp /etc/apache2/conf/modules.d/70_mod_php.conf /chroot/apache/etc/apache2/conf/modules.d/70_mod_php.conf

cp /usr/lib/libsablot.so.0 /chroot/apache/usr/lib/libsablot.so.0

cp /usr/lib/libmysqlclient.so.12 /chroot/apache/usr/lib/

cp /usr/lib/libmhash.so.2 /chroot/apache/usr/lib/libmhash.so.2

cp /usr/lib/libmcrypt.so.4 /chroot/apache/usr/lib/libmcrypt.so.4

cp /usr/lib/libltdl.so.3 /chroot/apache/usr/lib/libltdl.so.3

cp /lib/libpam.so.0 /chroot/apache/lib/libpam.so.0

cp /usr/lib/libexslt.so.0 /chroot/apache/usr/lib/libexslt.so.0

cp /usr/lib/libxslt.so.1 /chroot/apache/usr/lib/libxslt.so.1

cp /usr/lib/libdb.so.2 /chroot/apache/usr/lib/libdb.so.2

cp /usr/lib/libcrack.so.2 /chroot/apache/usr/lib/libcrack.so.2

cp /usr/lib/libbz2.so.1.0 /chroot/apache/usr/lib/libbz2.so.1.0

cp /lib/libresolv.so.2 /chroot/apache/lib/libresolv.so.2

cp /usr/lib/libxmlparse.so.0 /chroot/apache/usr/lib/libxmlparse.so.0

cp /usr/lib/libxmltok.so.0 /chroot/apache/usr/lib/libxmltok.so.0

cp /usr/lib/libxml2.so.2 /chroot/apache/usr/lib/libxml2.so.2

cp /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/libstdc++.so.5 /chroot/apache/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/libstdc++.so.5

cp -R /etc/php /chroot/apache/etc
```

Note that these may or may not be the correct libs depending on your system. Also note that symbolic link lib in /chroot/apache/etc/php/apache2-php4 still points to /usr/lib/apache2-extramodules/ and not /chroot/apache/usr/lib/apache2-extramodules/ so be careful if removing something inside it. 

Hope this helps someone.

----------

## Torin_

Ok I've done it.

Also I had to copy many libraries becouse i have png and etc supprot.

My question is, can i run mod_userdir with local pages from /home/*/www ???

Not from /etc/chroot/apache/home/*/ ???

I wonder also how big is your chroot my is 65mb  :Smile: 

----------

## ka0ttic

 *Torin_ wrote:*   

> Ok I've done it.
> 
> Also I had to copy many libraries becouse i have png and etc supprot.
> 
> My question is, can i run mod_userdir with local pages from /home/*/www ???
> ...

 

No, the homedir's need to be under the chroot env.  If you put /home as the path in your apache config, then apache will use /chroot/apache/home.  To apache, that is /home and / is /chroot/apache and it cannot see outside of that.

What I just ended up doing was creating a symlink from /chroot/apache/home/user/public_html to their real home directory, or if they weren't a local user (ie. me), I would just add the user to /chroot/apache/etc/passwd and use /chroot/apache/home/user as their real homedir.

65M isn't very much space considering you need space for both the binaries/libs for apache and modules, as well as the space to host the whole site.  My partition for /chroot is 5G, but I also run my cvs server chroot'ed there, which takes a couple hundred megs...

----------

## dasalvagg

I'm getting an error when I try to run the test.  The file DOES exist.  I'm on amd64, I dont know if this would cause problems.  I haven't seen anyone else using it.  

 *Quote:*   

> 
> 
> chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory

 

----------

## amne

Moved from GC.

----------

## RUDIII

 *dasalvagg wrote:*   

> I'm getting an error when I try to run the test.  The file DOES exist.  I'm on amd64, I dont know if this would cause problems.  I haven't seen anyone else using it.  
> 
>  *Quote:*   
> 
> chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory 

 

Same problem here!

----------

## pointers

hi friends,

if you test my apache chroot ebuild and send me feedbacks, it is going to be great for me. Here is the ebuild

http://www.genco.gen.tc/gentoo_chroot_apache2.html   . It converts an existing apache2 installation into a chroot environment like the one made in bind.

   Not many people have tested it so I need somebody to test it to understand if it fails in any part.

I am using an apache2 chroot which is converted by this ebuild in a production server.

Best Regards.

----------

## a9db0

 *dasalvagg wrote:*   

> I'm getting an error when I try to run the test.  The file DOES exist.  I'm on amd64, I dont know if this would cause problems.  I haven't seen anyone else using it.  
> 
>  *Quote:*   
> 
> chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory 

 

And a third Me Too!

I'm running currently up to date on a PII400, so it shouldn't be an architecture problem.  Has anyone any suggestions on what to tryor how to fix?

Dave

----------

## mrbox

 *a9db0 wrote:*   

>  *dasalvagg wrote:*   I'm getting an error when I try to run the test.  The file DOES exist.  I'm on amd64, I dont know if this would cause problems.  I haven't seen anyone else using it.  
> 
>  *Quote:*   
> 
> chroot: cannot run command `/usr/sbin/apache2ctl': No such file or directory  
> ...

 

Copy /lib/ld-linux.so.2 to your chroot , that solved it for me.

----------

## slashdot

The link doesn't seem to be working. Anyone any ideas where is has been moved to?

----------

## dausha

If you google for it and then look at archived, then you will find it. 

Alternatively, since it was released with an open license, I have posted it on my site:

http://www.dausha.net/index.php/Technical/HowToChrootApacheInGentoo

Although, there are two commands that are missing because the software I use to help manage my site choaks on it.

grep apache /etc/passwd >> /chroot/apache/etc/passwd

grep apache /etc/group >> /chroot/apache/etc/group

----------

## dausha

 *Quote:*   

> Is it not true that unless there's a kernel-level vulnerability, there's not really neccessary to run Apache2 in chroot? I read that on the forums somewhere before.

 

I've not read that anywhere. However, tightening a server is always a good idea. Apache can be compromised by XSS exploits, and there are several Portage packages that have these exploits. I recently had a server that was successfully hacked because of an XSS exploit. I was able to catch them before they were able to do anything with it, fortunately. It would have been better if I had chrooted.

IIRC, OpenBSD chroots Apache by default, and they argueably have the most secure OS.

The issue is of paranoia. Server Admins should be extremely paranoid and impliment as many safeguards as possible because the potential harm is more catestrophic. (Sort of why you put on a seatbelt--you may never get into an accident, but just in case . . . .) 

Always err on the side of more security.

----------

## carpman

Hello, ok trying to get my head around the chrooting apache, i am currently building testing a server for a web project which will use socketmail, this webmail solutions which uses it own smtp pop3 deamon.

From what i have read do far i would created apache chroot, into this i would put the tools/app/libs i need, what not sure about is how php works, websites file structure etc?

Do i also put in the website which currently is in /srv/www.mydomain.com/htdocs 

What about mysql database, currently i have /var/lib/mysql on own scsi disk, /srv also has own partition.

What about when updating system, would need to stop chroot apache and copy over new versions?

cheers

----------

