Apache Security - Ivan Ristic [29]
Using strace you will find that many innocent looking binaries do a lot of work before they start. If you want to experiment, I suggest you write a simple program such as this one:
#include #include int main(void) { puts("Hello world!"); } Compile it once with a shared system support and once without it: # gcc helloworld.c -o helloworld.shared # gcc helloworld.c -o helloworld.static -static Using strace on the static version gives the following output: # strace ./helloworld.static execve("./helloworld.static", ["./helloworld.static"], [/* 22 vars */]) = 0 uname({sys="Linux", node="ben", ...}) = 0 brk(0) = 0x958b000 brk(0x95ac000) = 0x95ac000 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xbf51a000 write(1, "Hello world!\n", 13Hello world! ) = 13 munmap(0xbf51a000, 4096) = 0 exit_group(13) The strace output is ugly. Each line in the output represents a system call made from the process. It is not important at the moment what each line contains. Jailed binaries most often fail because they cannot open a file. If that happens, one of the lines near the end of the output will show the name of the file the binary attempted to access: open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory) As an exercise, use strace on the dynamically compiled version of the program and compare the two outputs. You will see how many shared libraries are accessed even from a small program such as this one. Using chroot to Put Apache in Jail Now that you know the basics of using chroot to put a process in jail and you are familiar with tools required to facilitate the process, we can take the steps required to put Apache in jail. Start by creating a new home for Apache and move the version installed (shown in Section 2.1.4) to the new location: # mkdir -p /chroot/apache/usr/local # mv /usr/local/apache /chroot/apache/usr/local # ln -s /chroot/apache/usr/local/apache /usr/local/apache # mkdir -p /chroot/apache/var # mv /var/www /chroot/apache/var/ # ln -s /chroot/apache/var/www /var/www The symbolic link from the old location to the new one allows the web server to be used with or without being jailed as needed and allows for easy web server upgrades. Like other programs, Apache depends on many shared libraries. The ldd tool gives their names (this ldd output comes from an Apache that has all default modules built-in statically): # ldd /chroot/apache/usr/local/apache/bin/httpd libm.so.6 => /lib/tls/libm.so.6 (0x005e7000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00623000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x00902000) libexpat.so.0 => /usr/lib/libexpat.so.0 (0x00930000) libdl.so.2 => /lib/libdl.so.2 (0x0060b000) libc.so.6 => /lib/tls/libc.so.6 (0x004ac000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000) This is a long list; we make copies of these libraries in the jail: # mkdir /chroot/apache/lib # cp /lib/tls/libm.so.6 /chroot/apache/lib # cp /lib/libcrypt.so.1 /chroot/apache/lib # cp /usr/lib/libgdbm.so.2 /chroot/apache/lib # cp /usr/lib/libexpat.so.0 /chroot/apache/lib # cp /lib/libdl.so.2 /chroot/apache/lib # cp /lib/tls/libc.so.6 /chroot/apache/lib # cp /lib/ld-linux.so.2 /chroot/apache/lib Putting user, group, and name resolution files in jail Though the httpd user exists on the system (you created it as part of the installation earlier); there is nothing about this user in the jail. The jail must contain the basic user authentication facilities: # mkdir /chroot/apache/etc # cp /etc/nsswitch.conf /chroot/apache/etc/ # cp /lib/libnss_files.so.2 /chroot/apache/lib The jail user database needs to contain at least one