LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-18-2003, 04:12 PM   #1
ixion
Member
 
Registered: Dec 2002
Location: USA
Distribution: SuSE, CentOS, Gentoo
Posts: 166

Rep: Reputation: 30
chrooted apache problem


I believe I'm pretty close to getting my apache2 setup in chroot. The only problem I'm having is when I try to start the service I get this error message:
apache2: bad user name apache


that 'apache' after 'user name' changes with whatever the 'User' variable in the apache.conf file is set to. Just for testing, I've copied my /etc/passwd, /etc/shadow, /etc/shadow-, /etc/group, /etc/group- all into the chroot, but it still comes up with this error. I've read somewhere that it may need PAM in the chroot, but I've copied my PAM (as far as I know) stuff all into the chroot environment. Is there a service/daemon that needs to be running for it to authenticate correctly?

I'm running Gentoo 1.4rc3... everything works like a champ outside of chroot... I just want some more security..
 
Old 04-18-2003, 11:16 PM   #2
jailbait
Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Wheezy, Debian Jessie
Posts: 7,469

Rep: Reputation: 154Reputation: 154
My guess.

You might try going into the chroot and useing the adduser command.
 
Old 04-19-2003, 04:28 AM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
First of all, do you require Perl, PHP or anything ? If so chrooting Apache is a mess ... I've chrooted Apache 2 without Perl, PHP support a while back.

Take a look at this thread. You will see what I did in order to chroot Apache 2.0.43


I think it would be nice if you could specify a mailserver (= smtp stuff) in the php.ini - currently that's not possible and you'd have to use some kind of nullmailer to get the mail function to work properly. If you require Perl support you will need a LOT inside the chroot and you should compare the benefits of your chroot to the deficits.


And no, you DO NOT NEED PAM in the chroot ...
 
Old 04-19-2003, 04:30 AM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
Re: My guess.

Quote:
Originally posted by jailbait
You might try going into the chroot and useing the adduser command.
I'm sorry but this is simply bull. If there would be the adduser in the chroot tree then it's useless to do a chroot since the added layer of security will be decreased alot if you can add users yourself ...
 
Old 04-19-2003, 09:53 AM   #5
jailbait
Guru
 
Registered: Feb 2003
Location: Blue Ridge Mountain
Distribution: Debian Wheezy, Debian Jessie
Posts: 7,469

Rep: Reputation: 154Reputation: 154
markus1982

True. But he was already copying /etc/passwd, /etc/shadow, /etc/shadow-, /etc/group, /etc/group- all into the chroot.
 
Old 04-21-2003, 03:05 PM   #6
ixion
Member
 
Registered: Dec 2002
Location: USA
Distribution: SuSE, CentOS, Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
I do not intend to keep it that way.. that was just for testing

anyway, I followed your walkthrough as far as I could markus, but I still get the same problem... I have a couple questions, though..

should the library symlinks remain setup the same way in the chroot? I didn't do that, I just copied the actual file as it was listed from 'strace'. There are parts of your walkthrough I also don't understand: the ln -s ../ server/http: what directory were you in when you did that? Is there an easier way to get all the required files over to the chroot instead of copying all of them one-by-one? who/what should have permissions to the chroot directories and files? what chmod do you suggest?

Last edited by ixion; 04-21-2003 at 03:29 PM.
 
Old 04-28-2003, 09:33 AM   #7
Ani
LQ Newbie
 
Registered: Oct 2002
Posts: 27

Rep: Reputation: 0
I am also trying to setup apache (2.0.40) on RH 9 using SSL/PHP/MySQL/PERL in a chroot environment. I am new to Linux and it does not seem easy to setup.

I have the chroot setup and am now trying to get apache to run.
I get this error when I checked apache's error_log:

[notice] Digest: generating secret for digest authentication
[crit] (2) No such file or directory: Digest: error generating secret: No such file or directory
Configuration Failed!

I am guessing the cause of the problem lies with permissions either with a file or a directory, but I am not sure where?
When I try to run apache out of the chroot it runs fine. I could always comment out the line:

# LoadModule auth_digest_module modules/mod_auth_digest.so

In the httpd.conf file to get around the problem, but I am wondering why it works out of chroot and not in it?

Can someone also talk about the benefits vs the hassle of trying to run and maintain a "chroot" apcahe, ssl, php, mysql, etc. environment? I am wondering if this course of action is worth it.
 
Old 04-28-2003, 09:53 AM   #8
ixion
Member
 
Registered: Dec 2002
Location: USA
Distribution: SuSE, CentOS, Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
I found this walkthough which was of great help. I have gotten Apache to run chrooted with SSL support, but am having trouble with PHP. Now, following this walkthrough word-for-word will really mess up your Authentication and such, so I would recommend doing it on a box you don't mind formatting afterwards.. anyway, once you have it up, you should feel comfortable enough to get Apache2 with SSL and PHP setup in chroot. Hope this helps!

http://penguin.epfl.ch/chroot.html

Last edited by ixion; 04-28-2003 at 09:54 AM.
 
Old 04-28-2003, 03:43 PM   #9
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
It wasn't meant as a GUIDE just as a quick help. I know that setting Apache in chroot is not easy, especially with PHP and Perl. It IS hard to chroot Apache and still keep PHP and Perl working. There are times when the benefit of chrooting is not really there ... I think this is such an example. PHP is not yet ready to be run completely chrooted and you will have to prepare for unusual problems you're going to be faced with if you have advanced php coders at your box ...
 
Old 04-28-2003, 03:46 PM   #10
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
Quote:
should the library symlinks remain setup the same way in the chroot? I didn't do that, I just copied the actual file as it was listed from 'strace'. There are parts of your walkthrough I also don't understand: the ln -s ../ server/http: what directory were you in when you did that? Is there an easier way to get all the required files over to the chroot instead of copying all of them one-by-one? who/what should have permissions to the chroot directories and files? what chmod do you suggest? [/B]
I use a perl script (that is based on ldd) for that task ... but I don't have it handy right now!
 
Old 04-28-2003, 04:06 PM   #11
ixion
Member
 
Registered: Dec 2002
Location: USA
Distribution: SuSE, CentOS, Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
that's cool!

My current problem does not concern libraries (I think).. I've installed php, copied what I needed into the chroot environment and added the following to Apache2's httpd.conf file:
LoadModule php4_module libexec/libphp4.so
AddType application/x-httpd-php .php


But apache reports this upon starting:
* Starting apache2...
Syntax error on line 845 of /apache/conf/httpd.conf:
Cannot load /apache/libexec/libphp4.so into server: /apache/libexec/libphp4.so: cannot open shared object file: No such file or directory [ !! ]


I don't have this file anywhere, which made me think that apache has to compile the module in during 'configure'. Well, I tried the --enable-modules=php4 and --with-module=libphp4 (after copying the libphp4.a and libphp4.la files into the modules/ dir), but it reports no target for libphp4 during Make. Have I missed something somehow?
 
Old 04-28-2003, 04:33 PM   #12
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
All directories are relative to the server root path (ServerRoot). BTW, try the mail function and you'll see that this is just the 1st problem you have to face with ... next one might be connect to local MySQL database (you have to place socket in chroot too which makes it impossible to chroot MySQL, ...).

Luckily MySQL is running at a different host in my case :-)


Perl is a real mess ... since it could require a lot of system stuff and you never know it until you get a complaint from a customer/coder.
 
Old 04-29-2003, 06:28 AM   #13
ixion
Member
 
Registered: Dec 2002
Location: USA
Distribution: SuSE, CentOS, Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
In other words it's impossible to run php in a chroot with apache?? I actually haven't found any accounts where it worked.

Oh well.. what I DO want to accomplish is a web-mail server out of this box in a chrooted environment. Squirrelmail requires php (as far as I know), so I guess that is out the window. Any suggestions??
 
Old 04-30-2003, 09:33 AM   #14
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 45
Quote:
Originally posted by ixion
In other words it's impossible to run php in a chroot with apache?? I actually haven't found any accounts where it worked.

Oh well.. what I DO want to accomplish is a web-mail server out of this box in a chrooted environment. Squirrelmail requires php (as far as I know), so I guess that is out the window. Any suggestions??
No you can still chroot apache and php support. But you should extensively test all the required functionality. Like you need to find a way around the mail problem (you could install a SMTP forwarder, e. g.). It's just a whole bunch of work which will pay off though :-)
 
Old 04-30-2003, 01:42 PM   #15
ixion
Member
 
Registered: Dec 2002
Location: USA
Distribution: SuSE, CentOS, Gentoo
Posts: 166

Original Poster
Rep: Reputation: 30
cool.. good to know that it is possible..

Alright, it looks like 90% of my problem was using Apache 2.0.45.. I've reverted back to 1.3, and started a clean chroot setup. Got PHP working from within the chroot, yay! But, I am having a little trouble with SSL. It (apache) compiles the module in just fine, apachectl startssl starts ok (no errors), but I cannot connect with https to my server (locally or remotely). Connecting with the normal http port works just fine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What does chrooted mean? Red Squirrel Linux - Software 6 08-21-2005 08:41 PM
is service chrooted? overlord73 Linux - Security 2 07-06-2005 01:10 AM
chrooted apache on suse dominant Linux - Security 3 11-10-2004 11:08 AM
Chrooted Apache dominant Linux - Security 4 09-20-2004 02:48 AM
chrooted apache server won't start tca23 Linux - Software 3 08-30-2004 08:51 AM


All times are GMT -5. The time now is 08:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration