How to chroot Apache on CentOS?
I have been advised by a sysadmin, to run Apache in a chroot jail, in order to prevent that an attacker could take control of server.
So my question is:
- What is the best method to chroot Apache/2.2.3 in RHEL/CentOS 5?, i only use the default modules that comes with Apache like mod_php and also mod_security.
I heard of mod_security SecChrootDir but i don't know if it would be suitable for my config, it says that it's recommended only for static file serving in the documentation.
Thank you!
Solution 1:
This is where it is probably easier to just go with SELinux. It is even documented on how it works under CentOS and Apache:
http://wiki.centos.org/HowTos/SELinux
In short, if you are using SELinux and Apache, the worse that could happen is that the intruder could only access and change files within the same httpd domain. That intruder could not start processes outside the httpd domain or access non httpd-related files.
EDIT: It is important to note that the real issue is preventing or mitigating privilege escalation. Chroot can help, but it is not full proof - in looking up info about chroot security, I found this, which lead me to this:
http://www.linuxsecurity.com/content/view/117632/49/
The important thing to remember from that link is that more software you deploy within chroot, the greater the chance that somebody can break out of the jail. Please keep that in mind as you attempt to get apache as well as supporting libraries working within the chroot jail.
Solution 2:
Take a look at mod_chroot
Getting dynamic webpages to work under chroot can be a pain, we could not get mod_chroot to work with Django so a long and manual way that we did it was:
mkdir /chroot
''populate /chroot with everything you need, this is a long process'''
chroot /chroot /usr/sbin/apache2 -k start
Where you have a copy of the apache binary file in /chroot/usr/sbin/. The chroot command will spawn the command executed within the jail found in the first argument.
The populate was a much larger process, there are a lot of docs online with what Apache needs to run that you need to take a look at.