Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I believe I'm pretty close to getting my apache2 setup in chroot. The only problem I'm having is when I try to start the service I get this error message: apache2: bad user name apache
that 'apache' after 'user name' changes with whatever the 'User' variable in the apache.conf file is set to. Just for testing, I've copied my /etc/passwd, /etc/shadow, /etc/shadow-, /etc/group, /etc/group- all into the chroot, but it still comes up with this error. I've read somewhere that it may need PAM in the chroot, but I've copied my PAM (as far as I know) stuff all into the chroot environment. Is there a service/daemon that needs to be running for it to authenticate correctly?
I'm running Gentoo 1.4rc3... everything works like a champ outside of chroot... I just want some more security..
First of all, do you require Perl, PHP or anything ? If so chrooting Apache is a mess ... I've chrooted Apache 2 without Perl, PHP support a while back.
Take a look at this thread. You will see what I did in order to chroot Apache 2.0.43
I think it would be nice if you could specify a mailserver (= smtp stuff) in the php.ini - currently that's not possible and you'd have to use some kind of nullmailer to get the mail function to work properly. If you require Perl support you will need a LOT inside the chroot and you should compare the benefits of your chroot to the deficits.
Originally posted by jailbait You might try going into the chroot and useing the adduser command.
I'm sorry but this is simply bull. If there would be the adduser in the chroot tree then it's useless to do a chroot since the added layer of security will be decreased alot if you can add users yourself ...
I do not intend to keep it that way.. that was just for testing
anyway, I followed your walkthrough as far as I could markus, but I still get the same problem... I have a couple questions, though..
should the library symlinks remain setup the same way in the chroot? I didn't do that, I just copied the actual file as it was listed from 'strace'. There are parts of your walkthrough I also don't understand: the ln -s ../ server/http: what directory were you in when you did that? Is there an easier way to get all the required files over to the chroot instead of copying all of them one-by-one? who/what should have permissions to the chroot directories and files? what chmod do you suggest?
I am also trying to setup apache (2.0.40) on RH 9 using SSL/PHP/MySQL/PERL in a chroot environment. I am new to Linux and it does not seem easy to setup.
I have the chroot setup and am now trying to get apache to run.
I get this error when I checked apache's error_log:
[notice] Digest: generating secret for digest authentication
[crit] (2) No such file or directory: Digest: error generating secret: No such file or directory
Configuration Failed!
I am guessing the cause of the problem lies with permissions either with a file or a directory, but I am not sure where?
When I try to run apache out of the chroot it runs fine. I could always comment out the line:
In the httpd.conf file to get around the problem, but I am wondering why it works out of chroot and not in it?
Can someone also talk about the benefits vs the hassle of trying to run and maintain a "chroot" apcahe, ssl, php, mysql, etc. environment? I am wondering if this course of action is worth it.
I found this walkthough which was of great help. I have gotten Apache to run chrooted with SSL support, but am having trouble with PHP. Now, following this walkthrough word-for-word will really mess up your Authentication and such, so I would recommend doing it on a box you don't mind formatting afterwards.. anyway, once you have it up, you should feel comfortable enough to get Apache2 with SSL and PHP setup in chroot. Hope this helps!
It wasn't meant as a GUIDE just as a quick help. I know that setting Apache in chroot is not easy, especially with PHP and Perl. It IS hard to chroot Apache and still keep PHP and Perl working. There are times when the benefit of chrooting is not really there ... I think this is such an example. PHP is not yet ready to be run completely chrooted and you will have to prepare for unusual problems you're going to be faced with if you have advanced php coders at your box ...
should the library symlinks remain setup the same way in the chroot? I didn't do that, I just copied the actual file as it was listed from 'strace'. There are parts of your walkthrough I also don't understand: the ln -s ../ server/http: what directory were you in when you did that? Is there an easier way to get all the required files over to the chroot instead of copying all of them one-by-one? who/what should have permissions to the chroot directories and files? what chmod do you suggest? [/B]
I use a perl script (that is based on ldd) for that task ... but I don't have it handy right now!
My current problem does not concern libraries (I think).. I've installed php, copied what I needed into the chroot environment and added the following to Apache2's httpd.conf file:
LoadModule php4_module libexec/libphp4.so
AddType application/x-httpd-php .php
But apache reports this upon starting:
* Starting apache2...
Syntax error on line 845 of /apache/conf/httpd.conf:
Cannot load /apache/libexec/libphp4.so into server: /apache/libexec/libphp4.so: cannot open shared object file: No such file or directory [ !! ]
I don't have this file anywhere, which made me think that apache has to compile the module in during 'configure'. Well, I tried the --enable-modules=php4 and --with-module=libphp4 (after copying the libphp4.a and libphp4.la files into the modules/ dir), but it reports no target for libphp4 during Make. Have I missed something somehow?
All directories are relative to the server root path (ServerRoot). BTW, try the mail function and you'll see that this is just the 1st problem you have to face with ... next one might be connect to local MySQL database (you have to place socket in chroot too which makes it impossible to chroot MySQL, ...).
Luckily MySQL is running at a different host in my case :-)
Perl is a real mess ... since it could require a lot of system stuff and you never know it until you get a complaint from a customer/coder.
In other words it's impossible to run php in a chroot with apache?? I actually haven't found any accounts where it worked.
Oh well.. what I DO want to accomplish is a web-mail server out of this box in a chrooted environment. Squirrelmail requires php (as far as I know), so I guess that is out the window. Any suggestions??
Originally posted by ixion In other words it's impossible to run php in a chroot with apache?? I actually haven't found any accounts where it worked.
Oh well.. what I DO want to accomplish is a web-mail server out of this box in a chrooted environment. Squirrelmail requires php (as far as I know), so I guess that is out the window. Any suggestions??
No you can still chroot apache and php support. But you should extensively test all the required functionality. Like you need to find a way around the mail problem (you could install a SMTP forwarder, e. g.). It's just a whole bunch of work which will pay off though :-)
Alright, it looks like 90% of my problem was using Apache 2.0.45.. I've reverted back to 1.3, and started a clean chroot setup. Got PHP working from within the chroot, yay! But, I am having a little trouble with SSL. It (apache) compiles the module in just fine, apachectl startssl starts ok (no errors), but I cannot connect with https to my server (locally or remotely). Connecting with the normal http port works just fine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.