chroot apache questions

gypsy_rabbi · 11-19-2004, 05:00 PM

I'm somewhat new to this, and I'm setting up apache to run in a chroot jail. It runs as user apache, and most files in the chroot directory were of course owned by root when I first created them. So I have three questions:

Does chowning the chroot directory's files to user nobody, as opposed to root, buy me any security (bearing in mind again that I run as user apache, not as nobody)?
If I forward ports 80 and 443 to some other ports (above 1024), and then start apache as user nobody instead of root (which would then fork as user apache), would that buy me any extra security?
If someone has a few minutes, could you please look at the following permissions lists (these are the files inside my chroot directory, pared down with wildcards to save any kind soul who might look at them for me) and tell me if I can cut down the permissions any further?

Thanks much!

GR

Code:

drwxr-xr-x   9 root     root          216 Apr 15  2002 .
d---------   2 nobody   nobody         96 Apr 15  2002 ./dev
srw-rw-rw-   1 nobody   nobody          0 Apr 15  2002 ./dev/log
crw-rw-rw-   1 nobody   nobody            Apr 15  2002 ./dev/null
d---------   4 nobody   nobody        296 Apr 15  2002 ./etc
----------   1 nobody   nobody         97 Apr 15  2002 ./etc/*
d---------   6 nobody   nobody        176 Apr 15  2002 ./etc/ssl
d---------   2 nobody   nobody         48 Apr 15  2002 ./etc/ssl/*
d---------   7 nobody   nobody        600 Apr 15  2002 ./etc/apache
----------   1 nobody   nobody      11111 Apr 15  2002 ./etc/apache/*
d---------   2 nobody   nobody        112 Apr 15  2002 ./etc/apache/ssl.*
----------   1 nobody   nobody        320 Apr 15  2002 ./etc/apache/ssl.*/*
d---------   2 nobody   nobody        704 Apr 15  2002 ./lib
---x------   1 nobody   nobody      94792 Apr 15  2002 ./lib/ld-2.3.2.so
----------   1 nobody   nobody      42097 Apr 15  2002 ./lib/lib*
(symlinks are of course rwxrwxrwx)
d--x--x--x   4 nobody   nobody         96 Apr 15  2002 ./var
d--x--x--x   3 nobody   nobody         72 Apr 15  2002 ./var/log
drwx------   2 apache   apache        176 Apr 15  2002 ./var/log/apache
----------   1 nobody   nobody          0 Apr 15  2002 ./var/log/apache/*log
d---------   2 nobody   nobody         48 Apr 15  2002 ./var/run
d---------   5 nobody   nobody        120 Apr 15  2002 ./usr
d---------   2 nobody   nobody        256 Apr 15  2002 ./usr/lib
----------   1 nobody   nobody     199280 Apr 15  2002 ./usr/lib/lib*
(symlinks are of course rwxrwxrwx)
d---------   2 nobody   nobody         72 Apr 15  2002 ./usr/sbin
---x------   1 nobody   nobody     312204 Apr 15  2002 ./usr/sbin/httpd
d---------   3 nobody   nobody         72 Apr 15  2002 ./usr/libexec
d---------   2 nobody   nobody       1208 Apr 15  2002 ./usr/libexec/apache
----------   1 nobody   nobody       7672 Apr 15  2002 ./usr/libexec/apache/*
drwx------   8 apache   apache        192 Apr 15  2002 ./vhost
drwxr-xr-x   4 user1    user1          96 Apr 15  2002 ./vhost/user1
-rw-r--r--   2 user1    user1        2707 Apr 15  2002 ./vhost/user1/*
drwxr-xr-x   4 user2    user2          96 Apr 15  2002 ./vhost/user2
-rw-r--r--   2 user2    user2        2707 Apr 15  2002 ./vhost/user2/*
(vhost is the directory for one virtual host)

SciYro · 11-20-2004, 11:27 PM

i don't see why you'd want to cut them down, theirs nothing in there .... i don't think you can cut em down further anyways, I'm surprised its not already to cut down actually

anyways:

1) no - owning files is only important to judge permissions, if you have them setup right anyways this doesn't make a bit of difference who owns the file
2)no , wouldn't it break the web sites, or at least be confusing .. plus at most it would only obscure things, running a secure apache is whats important if its for the public
3) no

gypsy_rabbi · 11-21-2004, 03:30 AM

Not to argue, but:

1. It does matter a little bit: you wouldn't, for instance, want the httpd executable to be owned by the apache user. An intruder would be able to overwrite it and the next time you run the parent httpd (which runs as root unless you do what I'm talking about in (2)) you'll be running broken code as root. My question was whether root (the default owner of all these files including httpd) v. nobody makes a difference.

2. No, it doesn't break the websites (because the port forwarding goes through iptables's nat and is transparent to web clients: http://en.tldp.org/HOWTO/TransparentProxy-5.html). So the point isn't obscurity, it's being able to run the parent apache process as a non-root user (which you can't do if you're binding to ports below 1024).

Thanks for trying to help, though

.

Krugger · 11-21-2004, 05:12 PM

Are you providing symlinks out of the chroot jail? I heard that was the way to get out of chroot, but I have never seen it done, so...

Is it possible to take the setuid bit from the executables? Because than even if for some reason you would get bufferoverflowed it wouldn't be possible to change back to root.

Or isn't it a concern, because it forks and it loses the setuid bit in the child processes.