You will also need /etc/resolv.conf
, /etc/nsswitch.conf
and /etc/hosts
files in your chroot jail.
[root@deep ]/# cp /etc/resolv.conf /chroot/httpd/etc/
[root@deep ]/# cp /etc/hosts /chroot/httpd/etc/
[root@deep ]/# cp /etc/nsswitch.conf /chroot/httpd/etc/
Now we must set some files in the chroot jail directory immutable for better security.
Set the immutable bit on passwd
file:
[root@deep ]/# cd /chroot/httpd/etc/ [root@deep ]/# chattr +i passwd
Set the immutable bit on group
file:
[root@deep ]/# cd /chroot/httpd/etc/ [root@deep ]/# chattr +i group
Set the immutable bit on httpd.conf
file:
[root@deep ]/# cd /chroot/httpd/etc/httpd/conf/ [root@deep ]/# chattr +i httpd.conf
Set the immutable bit on resolv.conf
file:
[root@deep ]/# cd /chroot/httpd/etc/ [root@deep ]/# chattr +i resolv.conf
Set the immutable bit on hosts
file:
[root@deep ]/# cd /chroot/httpd/etc/ [root@deep ]/# chattr +i hosts
Set the immutable bit on nsswitch.conf
file:
[root@deep ]/# cd /chroot/httpd/etc/ [root@deep ]/# chattr +i nsswitch.conf
Copy the localtime
file to the jail so that log entries are adjusted for your local timezone properly:
[root@deep ]/# cp /etc/localtime /chroot/httpd/etc/
Remove unnecessary Apache files and directories:
[root@deep ]/# rm -rf /var/log/httpd/ [root@deep ]/# rm -rf /etc/httpd/ [root@deep ]/# rm -rf /home/httpd/ [root@deep ]/# rm -f /usr/sbin/httpd
We can remove safely all of the above files and directories since they are now located under our chroot jail directory.
Normally, processes talk to syslogd through /dev/log
. As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to /chroot/httpd/dev/log
.
To do this, edit the syslog
startup script, vi /etc/rc.d/init.d/syslog
to specify additional places to listen.
daemon syslogd -m 0
To read:
daemon syslogd -m 0 -a /chroot/httpd/dev/log
The default httpd
script file of Apache starts the daemon httpd
outside the chroot jail. We must change it to now start httpd from the chroot jail.
Edit the httpd
script file, vi /etc/rc.d/init.d/httpd
and change the line:
daemon httpd
To read:
/usr/sbin/chroot /chroot/httpd/ /usr/sbin/httpd -DSSL
rm -f /var/run/httpd.pid
To read:
rm -f /chroot/httpd/var/run/httpd.pid