Quick and dirty apache jail

jail-whiteWhat is an "Apache Jail" and why would I want it?
Taken from first result in google: "A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don't run as root, as root users can break out of the jail very easily."

Regarding Apache this would be useful if you were compromised to prevent an attacker from getting further into the system. Although not entirely foolproof it will just add that extra step of difficulty that an attacker would have to overcome. Preferably they should never get to this stage at-all!

Wow that sounds awesome, how do I do it?
Previously it was a nightmare to set up, requiring alternative versions of PHP, Apache plugins and modules, changing system settings and symlinks, etc.You can still find guides all over the internet with all of this crazy info.

Hopefully this tutorial will make it a lot simpler. Lets start by downloading Debian 8 (Jessie) and set it up without Apache.

OK so I'm going to presume you now have a clean Debian 8 (Jessie) ready to go.

Lets set up a basic LAMP stack.

Step one is the database, run the following and create a db user account:

apt-get -y install mariadb-server mariadb-client

Now install apache
apt-get -y install apache2

Next up, it's time for PHP
apt-get -y install php5 libapache2-mod-php5

And finally install all the PHP extensions you might need. (add and remove from this list to suit your needs)
apt-get -y install php5-mysqlnd php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

This is enough for a basic LAMP setup, you could run "service apache2 restart" and would have a working webserver and database with PHP. however that would be dull and missing the main point of this blog, it's time to get it in a jail!.

This is simpler than ever thanks to Apache 2.4 now having mod_unixd by default.

First we are going to create 2 directories (one for the PID file and another to store the website contents)

mkdir /var/www/var/run
chown -R root:root /var/www/var/run
mkdir /var/www/website

Next you need to edit the apache2.conf file to let it know the location of the jail. Simply run "nano /etc/apache2/apache2.conf" and find where "PidFile" is set, modify it to look like the following:
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
ChrootDir /var/www

Now we change the website's configuration file to match the new location where the website will reside. Simply run "nano /etc/apache2/sites-enabled/000-default.conf" and change the "DocumentRoot" to: /website

Finally run:

service apache2 restart

That is all, you should now have an Apache instance running in a chroot jail. you can test this by creating the following file "/var/www/website/test.php" containing:

<?php 
echo "contents of passwd:<br/>";
echo system('cat /etc/passwd');
?>

If all is set up correctly you should not see the contents of /etc/passwd when you visit the page in a browser (http://<ip address>/test.php).

It is worth noting that a jail isn't a great way of doing security, but it is good to know it is there, I had a specific case that required it and hence this blog post came about. You should do some research and find the most viable solution, if this is it then I'm glad I could help.

Leave a Reply