Ok, here's the problem. I have chrooted my Apache server following these guides (with some tweaking for my distro where needed):
http://www.securityfocus.com/infocus/1786
http://www.faqs.org/docs/securing/chap29sec254.html
I am running Apache 2.0 on Mandrake 9.2 (using the RPM provided by Mandrake). The machine is an older machine, so I'm not inclined to upgrade to a newer version of Mandrake...
Anyways, the chrooted Apache serves static HTML and PHP fine, but when I try to implement authentication, it fails, even though identical authentication setups work in the non-chrooted Apache.
I have tried both basic authentication with a password DB (mod_auth_dbm) and digest authentication (mod_auth_digest), and they both have problems.
For my mod_auth_dbm setup, I use this for my web server access controls:
<Directory /www>
#Only use the includes directive, but turn off exec
Options IncludesNOEXEC
#First deny all access, then selectively
#allow users in
Order deny,allow
#deny all
Deny from All
#allow LAN users access
#Allow from 192.168.0.0/255.255.255.0
#Allow users with usercode/password access
AllowOverride AuthConfig
AuthName "Private"
AuthType Basic
AuthDBMUserFile /etc/httpd/.dbmpasswd
Require valid-user
#users either need to be on the LAN
#OR supply a valid usercode/password
Satisfy Any
</Directory>
When I start Apache from the chroot, it runs, but then when I try to access a file, the browser correctly pops up a login window, but I can never login. The Apache error log shows this:
[Mon Sep 12 22:01:47 2005] [error] [client 192.168.0.3] (120002)APR does not understand this error code: could not open dbm (type default) auth file: /etc/httpd/.dbmpasswd
[Mon Sep 12 22:01:47 2005] [error] [client 192.168.0.3] DBM user friend not found: /www/test.asp
Now the dbm password files ".dbmpasswd.pag" and ".dbmpasswd.dir" have been created properly and include the user "friend". The *exact same* files work perfectly for authentication in the non-chrooted Apache. Also, in the chrooted Apache, just to narrow down the problem, I gave those files 777 permissions, just to rule that out, so it can't be a file permission problem. Something is missing in the chroot environment that is preventing Apache from opening the password database.
Now, when I try to use digest authentication instead, I use the following access control config:
<Directory /www>
#Only use the includes directive, but turn off exec
Options IncludesNOEXEC
#First deny all access, then selectively
#allow users in
Order deny,allow
#deny all
Deny from All
#allow LAN users access
#Allow from 192.168.0.0/255.255.255.0
#Allow users with usercode/password access
AllowOverride AuthConfig
AuthName "Private"
AuthType Digest
AuthDigestFile /etc/httpd/.digestpasswd
Require valid-user
#users either need to be on the LAN
#OR supply a valid usercode/password
Satisfy Any
</Directory>
In this case, when I try to start Apache in the chroot, it fails and I get the following in the Apache log:
[Tue Sep 13 12:47:25 2005] [notice] Digest: generating secret for digest authentication ...
[Tue Sep 13 12:47:25 2005] [crit] (2)No such file or directory: Digest: error generating secret: No such file or directory
Configuration Failed
Again, the exact same digest password file works perfectly with the exact same config in the non-chroot apache...
Now, in both cases it seems like I am missing something from the chroot environment that is required for the authentication module to function properly.
How can I find out what is missing from the chroot environment?
I have already done "ldd <binary name>" on the Apache binary and on the module libraries and copied over all needed dependencies to the chroot environment.
What is it that these modules are trying to do that is failing? Is there any other log I should be checking or any way to find out what these modules are looking for when they fail?
Thanks!
