I believe I'm pretty close to getting my apache2 setup in chroot. The only problem I'm having is when I try to start the service I get this error message:
apache2: bad user name apache


that 'apache' after 'user name' changes with whatever the 'User' variable in the apache.conf file is set to. Just for testing, I've copied my /etc/passwd, /etc/shadow, /etc/shadow-, /etc/group, /etc/group- all into the chroot, but it still comes up with this error. I've read somewhere that it may need PAM in the chroot, but I've copied my PAM (as far as I know) stuff all into the chroot environment. Is there a service/daemon that needs to be running for it to authenticate correctly?

I'm running Gentoo 1.4rc3... everything works like a champ outside of chroot... I just want some more security..

You might try going into the chroot and useing the adduser command.

First of all, do you require Perl, PHP or anything ? If so chrooting Apache is a mess ... I've chrooted Apache 2 without Perl, PHP support a while back.

Take a look at this thread. You will see what I did in order to chroot Apache 2.0.43


I think it would be nice if you could specify a mailserver (= smtp stuff) in the php.ini - currently that's not possible and you'd have to use some kind of nullmailer to get the mail function to work properly. If you require Perl support you will need a LOT inside the chroot and you should compare the benefits of your chroot to the deficits.


And no, you DO NOT NEED PAM in the chroot ...

I'm sorry but this is simply bull. If there would be the adduser in the chroot tree then it's useless to do a chroot since the added layer of security will be decreased alot if you can add users yourself ...

True. But he was already copying /etc/passwd, /etc/shadow, /etc/shadow-, /etc/group, /etc/group- all into the chroot.

I do not intend to keep it that way.. that was just for testing

anyway, I followed your walkthrough as far as I could markus, but I still get the same problem... I have a couple questions, though..

should the library symlinks remain setup the same way in the chroot? I didn't do that, I just copied the actual file as it was listed from 'strace'. There are parts of your walkthrough I also don't understand: the ln -s ../ server/http: what directory were you in when you did that? Is there an easier way to get all the required files over to the chroot instead of copying all of them one-by-one? who/what should have permissions to the chroot directories and files? what chmod do you suggest?

I am also trying to setup apache (2.0.40) on RH 9 using SSL/PHP/MySQL/PERL in a chroot environment. I am new to Linux and it does not seem easy to setup.

I have the chroot setup and am now trying to get apache to run.
I get this error when I checked apache's error_log:

[notice] Digest: generating secret for digest authentication
[crit] (2) No such file or directory: Digest: error generating secret: No such file or directory
Configuration Failed!

I am guessing the cause of the problem lies with permissions either with a file or a directory, but I am not sure where?
When I try to run apache out of the chroot it runs fine. I could always comment out the line:

# LoadModule auth_digest_module modules/mod_auth_digest.so

In the httpd.conf file to get around the problem, but I am wondering why it works out of chroot and not in it?

Can someone also talk about the benefits vs the hassle of trying to run and maintain a "chroot" apcahe, ssl, php, mysql, etc. environment? I am wondering if this course of action is worth it.

I found this walkthough which was of great help. I have gotten Apache to run chrooted with SSL support, but am having trouble with PHP. Now, following this walkthrough word-for-word will really mess up your Authentication and such, so I would recommend doing it on a box you don't mind formatting afterwards.. anyway, once you have it up, you should feel comfortable enough to get Apache2 with SSL and PHP setup in chroot. Hope this helps!

http://penguin.epfl.ch/chroot.html

It wasn't meant as a GUIDE just as a quick help. I know that setting Apache in chroot is not easy, especially with PHP and Perl. It IS hard to chroot Apache and still keep PHP and Perl working. There are times when the benefit of chrooting is not really there ... I think this is such an example. PHP is not yet ready to be run completely chrooted and you will have to prepare for unusual problems you're going to be faced with if you have advanced php coders at your box ...

I use a perl script (that is based on ldd) for that task ... but I don't have it handy right now!

that's cool!

My current problem does not concern libraries (I think).. I've installed php, copied what I needed into the chroot environment and added the following to Apache2's httpd.conf file:
LoadModule php4_module libexec/libphp4.so
AddType application/x-httpd-php .php


But apache reports this upon starting:
* Starting apache2...
Syntax error on line 845 of /apache/conf/httpd.conf:
Cannot load /apache/libexec/libphp4.so into server: /apache/libexec/libphp4.so: cannot open shared object file: No such file or directory [ !! ]

I don't have this file anywhere, which made me think that apache has to compile the module in during 'configure'. Well, I tried the --enable-modules=php4 and --with-module=libphp4 (after copying the libphp4.a and libphp4.la files into the modules/ dir), but it reports no target for libphp4 during Make. Have I missed something somehow?

All directories are relative to the server root path (ServerRoot). BTW, try the mail function and you'll see that this is just the 1st problem you have to face with ... next one might be connect to local MySQL database (you have to place socket in chroot too which makes it impossible to chroot MySQL, ...).

Luckily MySQL is running at a different host in my case :-)


Perl is a real mess ... since it could require a lot of system stuff and you never know it until you get a complaint from a customer/coder.

In other words it's impossible to run php in a chroot with apache?? I actually haven't found any accounts where it worked.

Oh well.. what I DO want to accomplish is a web-mail server out of this box in a chrooted environment. Squirrelmail requires php (as far as I know), so I guess that is out the window. Any suggestions??

No you can still chroot apache and php support. But you should extensively test all the required functionality. Like you need to find a way around the mail problem (you could install a SMTP forwarder, e. g.). It's just a whole bunch of work which will pay off though :-)

cool.. good to know that it is possible..

Alright, it looks like 90% of my problem was using Apache 2.0.45.. I've reverted back to 1.3, and started a clean chroot setup. Got PHP working from within the chroot, yay! But, I am having a little trouble with SSL. It (apache) compiles the module in just fine, apachectl startssl starts ok (no errors), but I cannot connect with https to my server (locally or remotely). Connecting with the normal http port works just fine.