hacked?
Rick Stevens
rstevens at internap.com
Tue Apr 10 16:52:56 UTC 2007
On Tue, 2007-04-10 at 03:41 -0400, mylar wrote:
> On Mon, 2007-04-09 at 09:55 -0700, Rick Stevens wrote:
>
> >
> > I also like to build Apache so all the stuff it needs can be put in a
> > chroot jail, and chroot it. Not easy, but useful.
>
> How does one go about building or setting up this "chroot jail" ? I know
> a lot of the DNS "named" stuff runs in a chroot jail but that was
> already set up on installation. How do I set this up from scratch. Are
> there any good "howto's" or "tutorials" floating around that anyone can
> recommend ? This might be a good idea for some added security around
> here.
Well, the easiest way is to set up a completely separate partition or
filesystem (you can do it with a directory if you wish) and create a
directory tree that has all the stuff Apache may need (complete
with /etc, /usr, /usr/lib, etc. and the files required), then chroot
to that spot and run apache from there. In my case, I have an "/apache"
tree (separate filesystem...actually a completely separate disk):
# chroot /apache (now I'm in the fake directory tree)
# /usr/sbin/httpd (this runs the apache in /apache/usr/sbin)
# exit (now I'm back to the real system)
Some links on how to do it:
http://www.faqs.org/docs/securing/chap29sec254.html
http://penguin.triumf.ca/chroot.html
or simply google with "apache +chroot" as the search terms. As I said,
it's not trivial since the chroot jail must contain ALL the stuff
Apache needs (php, perl, mysql, etc.) so it sucks up a bunch of disk
space. I use the separate disk model because I just install a minimal
version of Linux on the second drive via the standard install mechanism.
"mount /dev/sdb1 /apache" and go from there.
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Microsoft Windows: Proof that P.T. Barnum was right -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list