LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-31-2006, 09:09 PM   #1
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Rep: Reputation: 30
chroot jail for apache


I've googled around a fair bit on this one but haven't got too far.

I have apache 1.3.34 running on slackware acting as webserver.

I've installed mod_security and every time I start my server I get a 403 forbidden error:

Quote:
You don't have permission to access / on this server.
I followed the instructions here
for applying the mod_security module to chrooting with the SecChrootDir function built into the module.

I'm assuming this error means that the permissions on my documentroot are incorrectly set. They're currently set at 755 and they are inside the root jail. The directory for the root jail is /chroot/apache, so the document root is at /chroot/apache/usr/include/apache/htdocs

Here's the relevant sections of httpd.conf:

Code:
LoadModule security_module    libexec/apache/mod_security.so
LoadModule config_log_module  libexec/apache/mod_log_config.so
LoadModule mime_module        libexec/apache/mod_mime.so
LoadModule status_module      libexec/apache/mod_status.so
LoadModule dir_module         libexec/apache/mod_dir.so
LoadModule access_module      libexec/apache/mod_access.so
LoadModule auth_module        libexec/apache/mod_auth.so

User apache
Group apache

DocumentRoot "/usr/include/apache/htdocs"

<Directory />
    Order Deny,Allow
    Deny from all
    Options None
    AllowOverride None
</Directory>

<Directory "/usr/include/apache/htdocs"> 
    Order allow,deny  
    Allow from all
    Options None
    AllowOverride None
</Directory>

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

UseCanonicalName Off

DefaultType text/plain

HostnameLookups Off

ErrorLog /var/log/apache/error_log

ServerSignature off

ServerTokens Prod

<IfModule mod_security.c>
    # Chroot directive
    SecChrootDir /chroot/apache
</IfModule
The apache error log shows the chroot directive being applied successfully and it explains the forbidden error with:

Code:
[Fri Mar 31 21:52:01 2006] [error] [client 70.19.178.141] (13)Permission denied: access to / failed because search permissions are missing on a component of the path
Can anyone help me on this one? I'm a bit new to both chrooting and apache.

Cheers

Last edited by dcdbutler; 04-02-2006 at 09:30 AM.
 
Old 04-02-2006, 08:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Check along your path where a dir misses the executable bit for the user Apache runs as to be able to traverse these dirs:
ls -ld /chroot/apache/usr
ls -ld /chroot/apache/usr/include
ls -ld /chroot/apache/usr/include/apache
ls -ld /chroot/apache/usr/include/apache/htdocs
 
Old 04-02-2006, 12:54 PM   #3
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Original Poster
Rep: Reputation: 30
Hey, thanks for the reply, one of the paths wasn't set for executable for users, so I changed it. They're all set for permission 755 now, is that ok or is there a better way?

Unfortunately I haven't been able to test it out yet on the webserver. I'm so pissed. At first the server (read PIII PC) wouldn't boot even into BIOS, so I figured maybe PSU, mobo or cpu problem, so I just took it apart and cleaned, checked the fans etc, put it back together. Now it boots cleanly into slackware (huh?) but the ethernet card seems to be not working. Nothing in lspci or dmesg to suggest I even have a card, but the lights are on at the pci slot when I hook up the rj45. Something very fishy going on. Any ideas would be appreciated. I'd rather not go out and buy a new card just yet as I'd have to recompile the kernel etc.


I'm going to boot onto some live cds and maybe do some benchmarking.

Cheers
 
Old 04-02-2006, 02:04 PM   #4
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Original Poster
Rep: Reputation: 30
OK.

It seems to working now, so I think that changing the permissions on that directory helped. Thanks.

Maybe my pci slot was bad for the newtork card because I moved it do a different one and it's ok now. Hopefully that was the reason that my computer was having a meltdown earlier and nothing more serious. Only time will tell.

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration