LinuxQuestions.org - chroot jail for apache

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - chroot jail for apache (https://www.linuxquestions.org/questions/linux-networking-3/chroot-jail-for-apache-430506/)

chroot jail for apache

I've googled around a fair bit on this one but haven't got too far.

I have apache 1.3.34 running on slackware acting as webserver.

I've installed mod_security and every time I start my server I get a 403 forbidden error:

Quote:

You don't have permission to access / on this server.

I followed the instructions here
for applying the mod_security module to chrooting with the SecChrootDir function built into the module.

I'm assuming this error means that the permissions on my documentroot are incorrectly set. They're currently set at 755 and they are inside the root jail. The directory for the root jail is /chroot/apache, so the document root is at /chroot/apache/usr/include/apache/htdocs

Here's the relevant sections of httpd.conf:

Code:

LoadModule security_module    libexec/apache/mod_security.so

LoadModule config_log_module  libexec/apache/mod_log_config.so

LoadModule mime_module        libexec/apache/mod_mime.so

LoadModule status_module      libexec/apache/mod_status.so

LoadModule dir_module        libexec/apache/mod_dir.so

LoadModule access_module      libexec/apache/mod_access.so

LoadModule auth_module        libexec/apache/mod_auth.so



User apache

Group apache



DocumentRoot "/usr/include/apache/htdocs"



<Directory />

    Order Deny,Allow

    Deny from all

    Options None

    AllowOverride None

</Directory>



<Directory "/usr/include/apache/htdocs"> 

    Order allow,deny  

    Allow from all

    Options None

    AllowOverride None

</Directory>



AccessFileName .htaccess



<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

    Satisfy All

</Files>



UseCanonicalName Off



DefaultType text/plain



HostnameLookups Off



ErrorLog /var/log/apache/error_log



ServerSignature off



ServerTokens Prod



<IfModule mod_security.c>

    # Chroot directive

    SecChrootDir /chroot/apache

</IfModule

The apache error log shows the chroot directive being applied successfully and it explains the forbidden error with:

Code:

[Fri Mar 31 21:52:01 2006] [error] [client 70.19.178.141] (13)Permission denied: access to / failed because search permissions are missing on a component of the path

Can anyone help me on this one? I'm a bit new to both chrooting and apache.

Cheers

Check along your path where a dir misses the executable bit for the user Apache runs as to be able to traverse these dirs:
ls -ld /chroot/apache/usr
ls -ld /chroot/apache/usr/include
ls -ld /chroot/apache/usr/include/apache
ls -ld /chroot/apache/usr/include/apache/htdocs

Hey, thanks for the reply, one of the paths wasn't set for executable for users, so I changed it. They're all set for permission 755 now, is that ok or is there a better way?

Unfortunately I haven't been able to test it out yet on the webserver. I'm so pissed. At first the server (read PIII PC) wouldn't boot even into BIOS, so I figured maybe PSU, mobo or cpu problem, so I just took it apart and cleaned, checked the fans etc, put it back together. Now it boots cleanly into slackware (huh?) but the ethernet card seems to be not working. Nothing in lspci or dmesg to suggest I even have a card, but the lights are on at the pci slot when I hook up the rj45. Something very fishy going on. Any ideas would be appreciated. I'd rather not go out and buy a new card just yet as I'd have to recompile the kernel etc.
:scratch:

I'm going to boot onto some live cds and maybe do some benchmarking.

Cheers

OK.

It seems to working now, so I think that changing the permissions on that directory helped. Thanks.

Maybe my pci slot was bad for the newtork card because I moved it do a different one and it's ok now. Hopefully that was the reason that my computer was having a meltdown earlier and nothing more serious. Only time will tell.

Thanks