Debian lenny: switch Apache in a chroot environment

To do this i’ve followed an howto from unixlife.it with some modifications.
Assuming you have your websites on /var/www/ and you want to move it on a chroot dir, /var/chroot/apache/, for example, let’s see what do you need to do:
Remember to do a complete backup before doing anything that could be “dangerous”.

In /etc/apache2/apache2.conf add those lines:

ChrootDir /var/chroot/apache
LoadFile /lib/libgcc_s.so.1
LoadFile /lib/libnss_dns.so.2

The you’ve to create the directories for the chroot environment (a bit different from the unixlife article):

mkdir -p /var/chroot/apache/var/www
cd /var/chroot/apache
mkdir bin dev etc lib tmp usr var
mkdir bin lib sbin share
mkdir curl misc php zoneinfo
mount -t auto -o bind /usr/share/php /var/chroot/apache/usr/share/php
mount -t auto -o bind /var/www /var/chroot/apache/var/www
mount -t auto -o bind /tmp /var/chroot/apache/tmp/


Add in /etc/fstab:

/var/www /var/chroot/apache/var/www auto bind 0 0
/usr/share/php /var/chroot/apache/usr/share/php auto bind 0 0
/tmp /var/chroot/apache/tmp auto bind 0 0

Let’s go on:

cd /var/chroot/apache/var
mkdir cache run spool www
mkdir cache/apache2
chown apache:root /var/chroot/apache/var/cache/apache2

Let’s prepare mysql and copy the various libraries:

cd /var/chroot/apache/var/run
mkdir mysqld
chown mysql:root mysqld/
cd /var/chroot/apache/lib

cp /lib/ld-linux.so.2 .
cp /lib/libc.so.6 .
cp /lib/libdl.so.2 .
cp /lib/libncurses.so.5 .
cp /lib/libnsl.so.1 .
cp /lib/libnss_compat.so.2 .
cp /lib/libnss_dns.so.2 .
cp /lib/libnss_files.so.2 .
cp /lib/libnss_nis.so.2 .
cp /usr/lib/libz.so.1 .

cd /var/chroot/apache/etc
cp /etc/hosts .
cp /etc/ld.so.cache .
cp /etc/localtime .
cp /etc/nsswitch.conf .
cp /etc/passwd .
REMOVE from /var/chroot/apache/etc/passwd ALL users except bin, mail, www-data and nobody
cp /etc/resolv.conf .
cp /etc/services .
cd /var/chroot/apache/dev
mknod -m 444 urandom c 1 9
mknod -m 666 null c 1 3
cd /var/chroot/apache/bin
cp /bin/sh .
cp /bin/bash .

Open /etc/mysql/my.cnf and edit:

[client]
socket = /var/chroot/apache/var/run/mysqld/mysqld.sock

[mysqld_safe]
socket = /var/chroot/apache/var/run/mysqld/mysqld.sock

Open /etc/apache2/envvars, it should have those lines:

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
export APACHE_PID_FILE=/var/run/apache2.pid

Open /etc/php5/apache2/php.ini and change session.save_path like this:

session.save_path = /tmp

Load the chroot module in apache with ae2nmod:

aptitude install ae2nmod
a2enmod mod_chroot

and restart it.
I hope i haven’t forgot anything :)
In that case, please point it out!

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *