• Choose a category
• All
• Classic-Fiction

By Root 1899 0

user and one group. Use the same name as before and use the identical user and group numbers inside and outside the jail. The filesystem stores user and group numbers to keep track of ownership. It is a job of the ls binary to get the usernames from the user list and show them on the screen. If there is one user list on the system and another in the jail with different user numbers, directory listings will not make much sense.

# echo "httpd:x:500:500:Apache:/:/sbin/nologin" > /chroot/apache/etc/passwd

# echo "httpd:x:500:" > /chroot/apache/etc/group

At this point, Apache is almost ready to run and would run and serve pages happily. A few more files are needed to enable domain name resolution:

# cp /lib/libnss_dns.so.2 /chroot/apache/lib

# cp /etc/hosts /chroot/apache/etc

# cp /etc/resolv.conf /chroot/apache/etc

Finishing touches for Apache jail preparation

The walls of the jail are now up. Though the following files are not necessary, experience shows that many scripts require them. Add them now to avoid having to debug mysterious problems later.

Construct special devices after using ls to examine the existing /dev folder to learn what numbers should be used:

# mkdir /chroot/apache/dev

# mknod -m 666 /chroot/apache/dev/null c 1 3

# mknod -m 666 /chroot/apache/dev/zero c 1 5

# mknod -m 644 /chroot/apache/dev/random c 1 8

Then, add a temporary folder:

# mkdir /chroot/apache/tmp

# chmod +t /chroot/apache/tmp

# chmod 777 /chroot/apache/tmp

Finally, configure the time zone and the locale (we could have copied the whole /usr/share/locale folder but we will not because of its size):

# cp /usr/share/zoneinfo/MET /chroot/apache/etc/localtime

# mkdir -p /chroot/apache/usr/lib/locale

# set | grep LANG

LANG=en_US.UTF-8

LANGVAR=en_US.UTF-8

# cp -dpR /usr/lib/locale/en_US.utf8 /chroot/apache/usr/lib/locale

Preparing PHP to work in jail

To make PHP work in jail, you should install it as normal. Establish a list of shared libraries required and copy them into the jail:

# ldd /chroot/apache/usr/local/apache/libexec/libphp4.so

libcrypt.so.1 => /lib/libcrypt.so.1 (0x006ef000)

libresolv.so.2 => /lib/libresolv.so.2 (0x00b28000)

libm.so.6 => /lib/tls/libm.so.6 (0x00111000)

libdl.so.2 => /lib/libdl.so.2 (0x00472000)

libnsl.so.1 => /lib/libnsl.so.1 (0x00f67000)

libc.so.6 => /lib/tls/libc.so.6 (0x001df000)

/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000)

Some of the libraries are already in the jail, so skip them and copy the remaining libraries (shown in bold in the previous output):

# cp /lib/libresolv.so.2 /chroot/apache/lib

# cp /lib/libnsl.so.1 /chroot/apache/lib

One problem you may encounter with a jailed PHP is that scripts will not be able to send email because the sendmail binary is missing. To solve this, change the PHP configuration to make it send email using the SMTP protocol (to localhost or some other SMTP server). Place the following in the php.ini configuration file:

SMTP = localhost

Preparing Perl to work in jail

To make Perl work, copy the files into the jail:

# cp -dpR /usr/lib/perl5 /chroot/apache/usr/lib

# mkdir /chroot/apache/bin

# cp /usr/bin/perl /chroot/apache/bin

Determine the missing libraries:

# ldd /chroot/apache/bin/perl

libperl.so => /usr/lib/perl5/5.8.1/i386-linux-thread-multi

/CORE/libperl.so (0x0067b000)

libnsl.so.1 => /lib/libnsl.so.1 (0x00664000)

libdl.so.2 => /lib/libdl.so.2 (0x0060b000)

libm.so.6 => /lib/tls/libm.so.6 (0x005e7000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x00623000)

libutil.so.1 => /lib/libutil.so.1 (0x00868000)

libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00652000)

libc.so.6 => /lib/tls/libc.so.6 (0x004ac000)

/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00494000)

Then add them to the libraries that are inside:

# cp /lib/libutil.so.1 /chroot/apache/lib

# cp /lib/tls/libpthread.so.0 /chroot/apache/lib

Taking care of small jail problems

Most CGI scripts send email using the sendmail binary. That will not work in our jail since the sendmail binary isn't there. Adding the complete sendmail