Chrooting Apache and PHP

General Information
Chrooting has been around for a long time now.  Chrooting makes a program believe that the root of the file system is higher up in the hierarchy.  For example, if I wanted to create a chroot in /chroot/httpd, a program executed from within the chroot would believe that "/chroot/httpd" was actually "/".  There in lies the beauty as the program can't reach any files outside "/chroot/httpd".  Security of the server as a whole is increased due to the fact that the system binaries are off limits.  In addition, chroots usually only have the bare minimum files inside, so exploits have a harder time breaking in.
Chroots can be broken out of.  On FreeBSD, jail can also be used.  Jail does the same as chroot, but on top of what chroot does, jail restricts what a process can do.  One of the benefits of OpenBSD is the fact that apache comes chrooted by default, which is nice.  But, that's not going to stop NetBSD or FreeBSD from doing this also.
So, why chroot instead of jail?  Jailing processes is actually a simple task.  Basically I want to help you out with 2 areas in this article.  The first is to get apache and php chrooted while working with a chrooted mysql.  And the second, I hope you can figure out from this how to chroot your own processes.  Once you figure out how to setup chroot trees, configuring jails should not be a challenge for you at all.
Installation
Lets start off by installing apache with mod_ssl and create our SSL certificates.
#
#
#
#
cd /usr/ports/www/apache13-modssl
make
make certificate TYPE=custom
make installNext we set a variable of where we wish to place it.  To help avoid unnecessary typing, it's recommended that you have your chroot directory on its own disklabel.  This way you can place further restrictions in the /etc/fstab file.
#
TGT=/chroot/httpd
Configuration
Now we need to prepare our directory structure for the chroot.
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
cd $TGT
mkdir dev
mkdir etc
mkdir tmp
mkdir -p var/run
mkdir -p usr/lib
mkdir usr/libexec
mkdir -p usr/local/www/
mkdir usr/local/lib
mkdir -p usr/local/etc/apache
mkdir -p usr/local/libexec/apache
mkdir -p usr/local/www/data
mkdir usr/local/www/vhosts
mkdir usr/local/sbin
mkdir -p usr/X11R6/lib
mkdir var/logNext, there are a few devices we need in our dev directory in which apache needs.  We will use the mknod for this task.
#
#
#
#
#
#
#
#
#
mknod $TGT/dev/null c 2 2
chown root:sys $TGT/dev/null
chmod 666 $TGT/dev/null

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有