Chrooting Apache2 howto

by Jan Mattila
last updated October 14th, 2003


Credits

This article was inspired by Artur Maj's article Securing Apache: Step-by-Step shows in a step-by-step fashion, how to install and configure the Apache 2.0.x series web server in much the same way as the 1.3.X covered in Artur's article, i.e. "in order to mitigate or avoid successful break-in when new vulnerabilities in this software are found".


Introduction

Configuring your Apache2 server in accordance to the specifications laid out in this howto will result in limited functionality. The following will be available:

This howto does not cover such things as relational databases (MySQL, PostgreSQL, etc.), scripting languages (Python, Perl, PHP, Tcl, etc.), or any of a myriad of server side gadgets for interaction with web services. The reasons for this are beyond the scope of this howto, but involve security on multiple levels. For a better explanation to this and a number of other good security oriented observations, read Artur's article.

Setup

The rest of this howto has been performed on my LFS 3.3 ( Linux from scratch) based distribution of Linux called Jinx, running on a i586-pc-linux-gnu, with the 2.4.18 kernel (I know it's not the latest kernel patch, but I'm such a lazy bastard).

I'm sure most of the stuff in this howto will be applicable in most unixes, but some variations may occur. I'll try to add them, if you report them, with the exclusion of anything involving the microsoft corporation.

The first step in securing any service is to close as many security holes in the operating system and then start closing holes in the service itself. This so called hardening of the OS is beyond the scope of this article, but there are some very good articles about the issue on e.g. the SecurityFocus site. So feel free to stop by there and come back later for the Apache2 part.

Installation and settings

Once all the other planned hardening has been executed we can begin the process of bolting up Apache2.

The first thing is to create a new username and usergroup to be used only by Apache2. We can use the name for both "apache2" and create the new group and regular user like this:

groupadd apache2
useradd apache2 -c "Apache2 server" -d /dev/null -g apache2 -s /bin/false

This sets the home directory to nada and gives no shell. Thus if the user account is compromised the cracker will have a hard time obtaining a shell from which to launch any serious attack.

Also, by default, the Apache2 processes run with privileges of user nobody (except the main process, which runs with root privileges) and GID of group nogroup. If the account was compromised the intruder would gain access to all processed running under user nobody and group nogroup. Hence we run Apache2 under the UID/GID of a unique regular user/group, dedicated to Apache2.

Getting Apache2

Next you need to download the latest stable version of the Apache2 web server from your nearest mirror. Since some of the options of Apache2 can only be disabled during compilation, you need to download the source instead of a binary release. It is also good practice to always compile your own software, since then you'll know what crap got put in and what got left out, right?

If you download the software from a mirror, be sure to verify the authenticity of the packages with PGP, GPG or MD5 as instructed here.

After downloading and verifying the packets, you need to unpack them. Then you need to decide which modules are to remain enabled. All the modules available in the latest version of Apache 2.0.X (currently 2.0.47) can be found at http://httpd.apache.org/docs-2.0/mod.

Apache2 modules

The choice of modules is one of the most important steps in securing Apache2. The fewer you have, the better. In order to not incapasitate Apache2 completely and fulfill the functionality and security assumptions stated in the beginning, the following modules must remain enabled:

ModuleDescription
core Core Apache HTTP Server features that are always available
mod_access Access control based on client hostname, IP address, or other characteristics of the client request
mod_auth User authentication using text files
mod_dir Provides for "trailing slash" redirects and serving directory index files
mod_log_config Logging of the requests made to the server
mod_mime Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)

All of the aforementioned modules are installed by default, but a number of other modules are also installed by default. Since configure for Apache2 doesn't seem to support the --disable-all switch you need to disable the ones you don't want and leave untouched the default ones you want. The following modules should thus be removed:

This will leave the wanted modules listed before and use the default MPM, prefork.c.

Now, you may choose to include some more modules and change the MPM to suit your needs better. It is, however, worth to note that some Apache2 modules are more dangerous than others. For a discussion of these, please refer to the original Securing Apache: Step-by-Step article or any number of security related sites for example SecurityFocus.

The next issue is whether to compile the modules dynamically or statically. Static is better. If new vulnerabilities in Apache2 are found, you will probably have to recompile the whole thing anyway and by choosing the static method, you eliminate the need of one more module, mod_so.

Compiling Apache2

The latest distribution should have all necessary security patches included, but if for some reason it does not, you need to apply all these patches. After this, the server can be compiled as follows:

./configure --prefix=/opt/apache \
--disable-actions --disable-alias --disable-asis \
--disable-autoindex --disable-cgi --disable-env \
--disable-imap --disable-include --disable-negotiation \
--disable-setenvif --disable-so --disable-status  \
--disable-userdir

The choice of prefix is naturally up to you, but I happen to use that one. It is a good idea not to leave any marks about the version of apache in use, thus for example --prefix=/opt/apache-2.0.47 would be a bad choice.

After configure, run make, switch to root, make sure the default access right settings for files and directories are proper, run make install and set the ownership for the new files and directories to root.

make
su
umask 022
make install
chown -R root:root /opt/apache

The actual Chrooting of Apache2

The next phase is to limit Apache2's access to the filesystem. This can be achieved by chrooting it's main daemon, httpd. Chrooting means creating a new root directory structure. Thus when you move daemon files to it, and run the proper daemon in the new environment, it and all it's child processes will have access only to the new directory structure.

First you need to create the new root directory structure. I've done it under /chroot/httpd, you can choose whatever you like. To make the directory structure under /chroot/httpd, do this:

mkdir -p /chroot/httpd/dev && \
mkdir -p /chroot/httpd/etc && \
mkdir -p /chroot/httpd/lib && \
mkdir -p /chroot/httpd/opt/apache/bin && \
mkdir -p /chroot/httpd/opt/apache/logs && \
mkdir -p /chroot/httpd/opt/apache/conf && \
mkdir -p /chroot/httpd/opt/apache/lib && \
mkdir -p /chroot/httpd/usr/lib && \
mkdir -p /chroot/httpd/usr/libexec && \
mkdir -p /chroot/httpd/usr/share/zoneinfo/Europe && \ 
mkdir -p /chroot/httpd/var/run && \
mkdir -p /chroot/httpd/web

Naturally you'd want to put the zoneinfo, that's relevant for you. The owner of all these directories must be root and the access rights must be set to 0755. Next you create the special device file, /dev/null and set its access rights:

mknod /chroot/httpd/dev/null c 1 3
chown root:root /chroot/httpd/dev/null
chmod 666 /chroot/httpd/dev/null

Note: for FreeBSD systems this would be:

mknod /chroot/httpd/dev/null c 2 2
chown root:root /chroot/httpd/dev/null
chmod 666 /chroot/httpd/dev/null

Also a log device must be created under the chroot jail. This can be achieved by adding the line

syslogd_flags="-l chroot/httpd/dev/log"

to the /etc/syslog.conf file and restarting the syslogd daemon.

kill -SIGHUP 'cat /var/run/syslogd.pid'

Note: for FreeBSD systems you would need to change the /etc/rc.conf file.

After these comes the time consuming part. You need to check each and every program and library for dependancies. I used ldd to begin with and strace to get all the rest. You should get something like this, when you ldd the main daemon, httpd:

ldd /opt/apache/bin/httpd
        libaprutil-0.so.0 => /opt/apache/lib/libaprutil-0.so.0 (0x40016000)
        libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x4002d000)
        libdb-4.1.so => /usr/lib/libdb-4.1.so (0x40033000)
        libexpat.so.0 => /opt/apache/lib/libexpat.so.0 (0x400d4000)
        libapr-0.so.0 => /opt/apache/lib/libapr-0.so.0 (0x400f1000)
        librt.so.1 => /lib/librt.so.1 (0x4010f000)
        libm.so.6 => /lib/libm.so.6 (0x40120000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x40142000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4016f000)
        libdl.so.2 => /lib/libdl.so.2 (0x40184000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x40187000)
        libc.so.6 => /lib/libc.so.6 (0x4019c000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

If you then run ldd for each of these files, you should get something resembling this:

ldd /opt/apache/lib/libaprutil-0.so.0
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
ldd /usr/lib/libgdbm.so.2
        libc.so.6 => /lib/libc.so.6 (0x40009000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
ldd /usr/lib/libdb-4.1.so
        libc.so.6 => /lib/libc.so.6 (0x400a4000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
ldd /opt/apache/lib/libexpat.so.0
        libc.so.6 => /lib/libc.so.6 (0x40020000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
ldd /opt/apache/lib/libapr-0.so.0
        libc.so.6 => /lib/libc.so.6 (0x40021000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000)
ldd /lib/librt.so.1
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x4013d000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ldd /lib/libm.so.6
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ldd /lib/libcrypt.so.1
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ldd /lib/libnsl.so.1
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ldd /lib/libdl.so.2
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ldd /lib/libpthread.so.0
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
ldd /lib/libc.so.6
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

You then strace the httpd into a file and grep that for the word open and you should get out something like this:

strace -o /opt/httpd-trace /opt/apache/bin/httpd

cat /opt/httpd-trace | grep open

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/opt/apache/lib/i586/mmx/libaprutil-0.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/apache/lib/i586/libaprutil-0.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/apache/lib/mmx/libaprutil-0.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/apache/lib/libaprutil-0.so.0", O_RDONLY) = 3
open("/opt/apache/lib/libgdbm.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/usr/lib/libgdbm.so.2", O_RDONLY) = 3
open("/opt/apache/lib/libdb-4.1.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libdb-4.1.so", O_RDONLY) = 3
open("/opt/apache/lib/libexpat.so.0", O_RDONLY) = 3
open("/opt/apache/lib/libapr-0.so.0", O_RDONLY) = 3
open("/opt/apache/lib/librt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/librt.so.1", O_RDONLY)       = 3
open("/opt/apache/lib/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY)        = 3
open("/opt/apache/lib/libcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libcrypt.so.1", O_RDONLY)    = 3
open("/opt/apache/lib/libnsl.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libnsl.so.1", O_RDONLY)      = 3
open("/opt/apache/lib/libdl.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY)       = 3
open("/opt/apache/lib/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libpthread.so.0", O_RDONLY)  = 3
open("/opt/apache/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/opt/apache/conf/httpd.conf", O_RDONLY) = 3
open("/etc/nsswitch.conf", O_RDONLY)    = 4
open("/opt/apache/lib/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
open("/lib/libnss_files.so.2", O_RDONLY) = 4
open("/etc/passwd", O_RDONLY)           = 4
open("/etc/group", O_RDONLY)            = 4
open("/opt/apache/logs/access_log", O_WRONLY|O_APPEND|O_CREAT, 0666) = 4

The reason why we strace the httpd is that you need to copy each of these open files to the chroot jail with the exeption of the /etc/ld.so.cache, which is created at runtime and the /etc/ld.so.preload, which is only found on some systems (excluding e.g. mine).

As you can see from the output of the httpd strace the daemon systematically first checks for the libraries from its own lib/ directory. Thus you can copy the libraries directly to the /chroot/httpd/opt/apache/lib directory. You need to have ld-linux.so.2 and libc.so.6 in the /lib/ of the chroot, but all the rest can go straight to Apache2's own lib/ directory.

So, moving on. You copy the libraries to the chroot jail and put them in the /opt/apache/lib/ and /lib/ directories.

cp /lib/ld-linux.so.2 /chroot/httpd/lib/ && \
cp /lib/libc.so.6 /chroot/httpd/lib/ && \
cp /lib/libcrypt.so.1 /chroot/httpd/opt/apache/lib/ && \
cp /lib/libdl.so.2 /chroot/httpd/opt/apache/lib/ && \
cp /lib/libm.so.6 /chroot/httpd/opt/apache/lib/ && \
cp /lib/libnsl.so.1 /chroot/httpd/opt/apache/lib/ && \
cp /lib/libnss_files.so.2 /chroot/httpd/opt/apache/lib/ && \
cp /lib/libpthread.so.0 /chroot/httpd/opt/apache/lib/ && \
cp /lib/librt.so.1 /chroot/httpd/opt/apache/lib/ && \
cp /usr/lib/libdb-4.1.so /chroot/httpd/opt/apache/lib/ && \
cp /usr/lib/libgdbm.so.2 /chroot/httpd/opt/apache/lib/ && \
cp /opt/apache/lib/libapr-0.so.0 /chroot/httpd/opt/apache/lib/ && \
cp /opt/apache/lib/libaprutil-0.so.0 /chroot/httpd/opt/apache/lib/ && \
cp /opt/apache/lib/libexpat.so.0 /chroot/httpd/opt/apache/lib/

The next step is to copy the rest of the files mentioned in the strace:

cp /etc/nsswitch.conf /chroot/httpd/etc/
cp /etc/group /chroot/httpd/etc/
cp /etc/passwd /chroot/httpd/etc/
cp /opt/apache/logs/access_log /chroot/httpd/opt/apache/logs/
cp /opt/apache/conf/httpd.conf /chroot/httpd/opt/apache/conf/

You need to remove all other lines from the passwd and group file except apache2 and nobody (and nogroup, if you happen to have one).

If you now try to run httpd with those files, it won't work and if you strace it, you'll find out, that you also need these files:

cp /opt/apache/conf/mime.types /chroot/httpd/opt/apache/conf/
cp /opt/apache/logs/error_log /chroot/httpd/opt/apache/logs/
cp /usr/share/zoneinfo/Europe/Helsinki /chroot/httpd/usr/share/zoneinfo/Europe/

Obviously you want to use the zoneinfo, that's correct for you time zone. I just happen to live in Helsinki.

You might also want to put in these files, although Apache2 will run without them (or at least seems to):

cp /etc/resolv.conf /chroot/httpd/etc/
cp /etc/hosts /chroot/httpd/etc/

Testing

Now it's time to see if the bugger works. Copy one of the index files from /opt/apache/htdocs/ to /chroot/httpd/web/index.html:

cp /opt/apache/htdocs/index.html.en /chroot/httpd/web/index.html

Change your /chroot/httpd/opt/apache/conf/httpd.conf to point to it. You can change only the DocumentRoot variable to /web for testing. Then try to run Apache2 in the chroot jail:

/usr/sbin/chroot /chroot/httpd/ /opt/apache/bin/httpd

If you made use of the virtual hosts then you need to make the directories to which you point i.e. I have the directories /chroot/httpd/opt/apache/logs/kakkonen.fi/, /chroot/httpd/opt/apache/logs/www.bostonpromenade.com/ /chroot/httpd/web/vhosts/kakkonen.fi/ and /chroot/httpd/web/vhosts/www.bostonpromenade.com/.

If Apache2 still won't work, try to strace the httpd again and grep the file for ENOENT (something not found).

You can also try to increase the level of Apache2's logging by changing the LogLevel in the httpd.conf to debug.

Tuning

Fine tuning the httpd.conf is an artform, but you can get far with something like this:

# =================================================
# Basic settings
# =================================================
ServerRoot "/opt/apache"
PidFile /opt/apache/logs/httpd.pid
ScoreBoardFile /opt/apache/logs/httpd.scoreboard

# =================================================
# Performance settings
# =================================================
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
# =================================================
# General settings
# =================================================
Listen 80
User apache
Group apache
ServerAdmin [email protected]
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
DirectoryIndex index.html
DocumentRoot "/web/vhosts"

# =================================================
# Access control
# =================================================
<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/web/vhosts/kakkonen.fi">
    Order allow,deny
    Allow from all
</Directory>
<Directory "/web/vhosts/www.bostonpromenade.com">
    Order allow,deny
    Allow from all
</Directory>

AccessFileName .htaccess
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

# =================================================
# MIME encoding
# =================================================
TypesConfig /opt/apache/conf/mime.types
DefaultType text/plain
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddType application/x-tar .tgz

# =================================================
# MIME encoding
# =================================================
TypesConfig /opt/apache/conf/mime.types
DefaultType text/plain
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddType application/x-tar .tgz

# =================================================
# Logs
# =================================================
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /opt/apache/logs/error_log

# =================================================
# Virtual hosts
# =================================================
NameVirtualHost *
<VirtualHost *>
       DocumentRoot "/web/vhosts/kakkonen.fi"
       ServerName "kakkonen.fi"
       ServerAlias "www.kakkonen.fi"
       ErrorLog logs/kakkonen.fi/error_log
       CustomLog logs/kakkonen.fi/access_log combined
</VirtualHost>
<VirtualHost *>
       DocumentRoot "/web/vhosts/www.bostonpromenade.com"
       ServerName "www.bostonpromenade.com"
       ServerAlias "bostonpromenade.com"
       ErrorLog logs/www.bostonpromenade.com/error_log
       CustomLog logs/www.bostonpromenade.com/access_log combined
</VirtualHost>

Copyright © 2003 Jan Mattila.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".


Strict XHTML 1.0 Valid CSS Copyright © 2003 Jan Mattila, GNU Free Documentation License