LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-15-2004, 03:40 AM   #1
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Failed to chroot apache 1.x


I am trying to chroot apache 1.x reading that guide http://www.cgisecurity.com/webserver...he2-howto.html

I did what it says but i cannot run the apache in a chroot jail.

it gives me not error while i try to start it using the command below
Code:
/usr/bin/chroot /chroot/httpd/ /usr/sbin/httpd
Do you know what is wrong?
 
Old 11-15-2004, 03:45 AM   #2
SteveK1979
Member
 
Registered: Feb 2004
Location: UK
Distribution: RHEL, Ubuntu, Solaris 11, NetBSD, OpenBSD
Posts: 225

Rep: Reputation: 43
Hi,

Can you post the full error message too?? Or is it not very helpful?

Cheers,

Steve
 
Old 11-15-2004, 03:52 AM   #3
dominant
Member
 
Registered: Jan 2004
Posts: 409

Original Poster
Rep: Reputation: 30
running the command

/usr/bin/chroot /chroot/httpd/ /usr/sbin/httpd

i receive no error

then i give netstat -an to see if the port 80 is opened and it's not.

The same with ps -ef ( i can see not apache process)

What is wrong? I copied all the files to the right directories.
all the /etc /var/* ...
 
Old 11-16-2004, 08:13 PM   #4
SteveK1979
Member
 
Registered: Feb 2004
Location: UK
Distribution: RHEL, Ubuntu, Solaris 11, NetBSD, OpenBSD
Posts: 225

Rep: Reputation: 43
Hi,

Sorry, been busy!

So when you try and start apache, you receive no error message, but when you check the running processes using
Code:
ps -ef
then there's definitely no httpd process?

Strange. I'm assuming that you've set this up under a Linux distro? I've only ever done it on OpenBSD, where it actually comes preconfigured to run chroot'd.

What result do you get if you carry out a config test? Syntax OK?

Also, what do you see in /var/log/apache/error.log (or wherever it is on your system that apache logs to).

Cheers,

Steve

P.S. You have told apache to listen on port 80 in the httpd.conf file right?
 
Old 11-17-2004, 06:35 AM   #5
dominant
Member
 
Registered: Jan 2004
Posts: 409

Original Poster
Rep: Reputation: 30
I see no apache process when i start apache.
Yes, i have told apache to listen on port 80.
My distro is SusE 9 Pro.

Do you know what is wrong?
 
Old 11-18-2004, 03:12 AM   #6
dominant
Member
 
Registered: Jan 2004
Posts: 409

Original Poster
Rep: Reputation: 30
Hello again.

Using
Code:
/usr/bin/chroot /chroot /usr/sbin/httpd -f /etc/httpd/httpd.conf
i receive the error
Code:
httpd: bad user name wwwrun
What the above mean?
I tried several names but all the same error i receive.

Last edited by dominant; 11-18-2004 at 03:13 AM.
 
Old 11-27-2004, 09:03 AM   #7
SteveK1979
Member
 
Registered: Feb 2004
Location: UK
Distribution: RHEL, Ubuntu, Solaris 11, NetBSD, OpenBSD
Posts: 225

Rep: Reputation: 43
Lightbulb

Hi,

Still having the problem?

I would guess that this error means that you have a user to run apache as set in your httpd.conf file that does not actually exist on your system - i.e. the user wwwrun so it fails to start.

You would either need to create this user, or run as another user.

Cheers,

Steve
 
Old 11-27-2004, 10:29 AM   #8
dominant
Member
 
Registered: Jan 2004
Posts: 409

Original Poster
Rep: Reputation: 30
Well, i solved that problem ( i had to copy the entire /etc into the /chroot/etc/)
 
Old 11-27-2004, 06:34 PM   #9
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Quote:
Originally posted by dominant
Well, i solved that problem ( i had to copy the entire /etc into the /chroot/etc/)

You'll want to trim that down a bit. Here are the files in my chroot etc folder:
Code:
-rw-r--r--  1 root root   14 Sep 20 15:06 group
-rw-r--r--  1 root root   27 Sep 20 15:06 host.conf
-rw-r--r--  1 root root  628 Sep 22 01:30 hosts
-rw-r--r--  1 root sys  1279 Sep 20 15:28 localtime
-rw-r--r--  1 root root 1083 Sep 20 14:55 nsswitch.conf
-rw-------  1 root root   53 Sep 20 14:58 passwd
-rw-r--r--  1 root root  119 Sep 20 14:55 resolv.conf
You'll also want to remove all users & groups from the group and passwd file except the user & group Apache runs as.

Also check out the guide at Security Focus.
http://www.securityfocus.com/infocus/1694
 
Old 11-28-2004, 04:41 AM   #10
dominant
Member
 
Registered: Jan 2004
Posts: 409

Original Poster
Rep: Reputation: 30
if i remove all these entries about other users:groups should then i run any command to rebuild these file (passwd, etc) ?
 
Old 11-28-2004, 03:00 PM   #11
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
No need to, unless you're using some non-default authentication mechanism. Just remove all the lines except for the user and group Apache run as.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Working on Apache Chroot zhizaki Linux - Security 9 11-29-2005 05:53 AM
Chroot Apache nistelrooy Linux - Security 1 06-18-2005 10:18 AM
chroot apache questions gypsy_rabbi Linux - Security 3 11-21-2004 05:12 PM
Apache in a chroot environment tarballedtux Linux - Software 1 04-13-2004 07:37 PM
vsftpd chroot and Apache R4z0r Linux - Networking 1 09-19-2003 01:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration