更多精品http://shop65927331.taobao.com
分类: 系统运维
2011-06-23 10:45:18
<一>
A chroot on Red Hat / CentOS / Fedora Linux operating changes the apparent disk root directory for the Apache process and its children. Once this is done attacker or other php / perl / python scripts cannot access or name files outside that directory. This is called a "chroot jail" for Apache. You should never ever run a web server without jail. There should be privilege separation between web server and rest of the system.
In this exclusive series, you will learn more about:
Requirements
More about Jail directory: /httpdjail
Create a jail directory as follows:
# J=/httpdjail
# mkdir $J
Install Apache, PHP and MySQL
Install required packages using , enter:
# yum install mysql mysql-server httpd php-mysql php-pear php-xml php-mysql php-cli php-imap php-gd php-pdo php-devel php-mbstring php-common php-ldap php httpd-devel
Now, create required directories inside your jail:
# mkdir -p $J/var/run
# chown -R root.root $J/var/run
# mkdir -p $J/home/httpd
# mkdir -p $J/var/www/html
# mkdir -p $J/tmp
# chmod 1777 $J/tmp
# mkdir -p $J/var/lib/php/session
# chown root.apache $J/var/lib/php/session
Install mod_chroot
mod_chroot makes running Apache in a secure chroot environment easy. You don't need to create a special directory hierarchy containing /dev, /lib, /etc. mod_chroot allows you to run Apache in a chroot jail with no additional files. The chroot() system call is performed at the end of startup procedure - when all libraries are loaded and log files open. Download mod_chroot using wget command:
# cd /opt/
# wget ~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
Untar it:
# tar -zxvf mod_chroot-0.5.tar.gz
Compile and install mod_chroot for using apxs, enter:
# cd mod_chroot-0.5
# apxs -cia mod_chroot.c
Configure Apache mod_chroot
Open /etc/httpd/conf/httpd.conf file, type:
# C=/etc/httpd/conf/httpd.conf
# vi $C
Set PidFile path in which the server should record its process identification number when it starts. Find line that reads as follows:
PidFile run/httpd.pid
Replace with:
PidFile /var/run/httpd.pid
Next add ChrootDir directive, enter:
ChrootDir /httpdjail
Find line that read as follows:
ServerRoot "/etc/httpd"
Append following lines:
LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
Make sure mod_chroot.so line exists. For example, 64 bit Linux should have line as follows:
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so
32 bit Linux config line:
LoadModule chroot_module /usr/lib/httpd/modules/mod_chroot.so
Save and close the file.
Disable SELinux for Apache
You need to disable SELinux for apache, enter:
# setsebool httpd_disable_trans 1
See article "disabling SELinux for only Apache / httpd in Linux" for further details.
Patch up /etc/init.d/httpd
Open /etc/init.d/httpd file, enter:
# vi /etc/init.d/httpd
Find out line that read as follows:
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
Add following line (set ROOT to $J):
ROOT=/httpdjail
Find stop() that read as follows:
stop() {
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
Replace it as follows (you need to link /var/run/httpd.pid to $J/var/run/httpd.pid; so that stop operation works):
stop() {
/bin/ln -s $ROOT/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
Save and close the file. Set so that file cannot be modified, updated by yum, deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute:
# chattr +i /etc/init.d/httpd
How do I start chrooted httpd?
Type the following command:
# /etc/init.d/httpd start
You should not see any error in /var/log/httpd/error_log file:
[Sun Dec 21 18:43:09 2008] [notice] core dump file size limit raised to 18446744073709551615 bytes
[Sun Dec 21 18:43:09 2008] [notice] SELinux policy enabled; httpd running as context root:system_r:initrc_t
[Sun Dec 21 18:43:09 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Dec 21 18:43:09 2008] [notice] Digest: generating secret for digest authentication ...
[Sun Dec 21 18:43:09 2008] [notice] Digest: done
[Sun Dec 21 18:43:10 2008] [notice] mod_chroot: changed root to /httpdjail.
[Sun Dec 21 18:43:10 2008] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
How do I stop chrooted httpd?
# /etc/init.d/httpd stop
How do I restart chrooted httpd?
# /etc/init.d/httpd restart
<二>
This guide explains how to set up with Apache2 on a CentOS 5.4 system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications.
I do not issue any guarantee that this will work for you!
1 Preliminary NoteI'm assuming that you have a running CentOS 5.4 system with a working Apache2, e.g. as shown in this tutorial: . In addition to that I assume that you have one or more web sites set up within the /var/www directory (e.g. if you use ISPConfig).
2 Installing mod_chrootThere's no mod_chroot package for CentOS 5.4, therefore we must build it ourselves. First we install the prerequisites:
yum groupinstall 'Development Tools'
yum groupinstall 'Development Libraries'
yum install httpd-devel
Now we build mod_chroot as follows:
cd /tmp
wget ~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar xvfz mod_chroot-0.5.tar.gz
cd mod_chroot-0.5
apxs -cia mod_chroot.c
Then we restart Apache:
/etc/init.d/httpd restart
I want to use the /var/www directory as the directory containing the chroot jail. CentOS' Apache uses the PID file /var/run/httpd.pid; when Apache is chrooted to /var/www, /var/run/httpd.pid translates to /var/www/var/run/httpd.pid. Therefore we create that directory now:
mkdir -p /var/www/var/run
chown -R root:apache /var/www/var/run
Now we must tell Apache that we want to use /var/www as our chroot directory. We open /etc/httpd/conf/httpd.conf, and right below the PidFile line, we add the line ChrootDir /var/www; also comment out the PidFile run/httpd.pid line and add the line PidFile /var/run/httpd.pid:
vi /etc/httpd/conf/httpd.conf
|
[...] ## PidFile: The file in which the server should record its process # identification number when it starts. ##PidFile run/httpd.pid PidFile /var/run/httpd.pid ChrootDir /var/www [...] |
Next we must tell our vhosts that the document root has changed (for example, a DocumentRoot /var/www translates now to DocumentRoot /). We can do this either by changing the DocumentRoot directive of each vhost, or more easier, by creating a symlink in the file system.
Let's assume we have a vhost with DocumentRoot /var/www. We must now open the vhost configuration of that vhost and change DocumentRoot /var/www to DocumentRoot /. Accordingly, DocumentRoot /var/www/web1/web would now translate to DocumentRoot /web1/web, and so on. If you want to use this method, you must change the DocumentRoot for every single vhost.
3.2 Second Method: Creating A Symlink In the File System
This method is easier, because you have to do it only once and don't have to modify any vhost configuration. We create a symlink pointing from /var/www/var/www to /var/www:
mkdir -p /var/www/var
cd /var/www/var
ln -s ../../ www
Finally, we have to stop Apache, create a symlink from /var/run/httpd.pid to /var/www/var/run/httpd.pid, and start it again:
/etc/init.d/httpd stop
ln -sf /var/www/var/run/httpd.pid /var/run/httpd.pid
/etc/init.d/httpd start
