chroot noob and apache - Security

This is a discussion on chroot noob and apache - Security ; I'm trying to chroot apache 2 within the path /chroot. I've satisfied the dev, lib and bin dependencies (or at least I don't get any error messages about them on the console or in logs). I also created (physical) /chroot/etc/passwd ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: chroot noob and apache

  1. chroot noob and apache

    I'm trying to chroot apache 2 within the path /chroot.

    I've satisfied the dev, lib and bin dependencies (or at least I don't
    get any error messages about them on the console or in logs). I also
    created (physical) /chroot/etc/passwd containing one line
    (www:x:1001:1001:www:/dev/null:/bin/false) and (physical)
    /chroot/etc/group containing one line (www:x:1001:www). In httpd.conf,
    I set the User and Group directives to www.

    When I run "chroot /chroot /bin/httpd", however, I get "httpd: bad user
    name www".

    I tried adding www to (physical) /etc/passwd and group and got the same
    message. When I added root to the chrooted passwd and group files and
    "chroot /chroot"ed, ls -l returned UID and GIDs only. I've undone both
    of these changes already.

    File permissions on /chroot/etc are root root 755 and permissions on
    the files within are root root 644.

    Obviously I'm doing something wrong... but what?


  2. Re: chroot noob and apache

    On Thu, 23 Feb 2006 12:15:25 -0800, david.m.mahon wrote:

    > When I run "chroot /chroot /bin/httpd", however, I get "httpd: bad user
    > name www".


    It probably expects a "root" (or some other name) mapping to UID 0 to
    exist for the main process, something like the following in /etc/passwd:

    root:x:0:0::/:/bin/false

    > I tried adding www to (physical) /etc/passwd and group and got the same
    > message. When I added root to the chrooted passwd and group files and
    > "chroot /chroot"ed, ls -l returned UID and GIDs only.


    You'll only see names when "www" also exists in your non-chrooted
    environment. Otherwise "cp" the "ls" binary (and anything "ldd" and/or
    "strace" tells it needs) to your chroot and execute:

    chroot /chroot /bin/ls -l

    > I've undone both of these changes already.
    >
    > File permissions on /chroot/etc are root root 755 and permissions on
    > the files within are root root 644.
    >
    > Obviously I'm doing something wrong... but what?


    I don't think so. Look at the output of: 'ps -efaxu' and/or 'pstree -aup'
    (on a non-chroot Apache) to see under which user(s) those processes run.

    HTH.

    --
    -Menno.


  3. Re: chroot noob and apache

    david.m.mahon@gmail.com wrote:

    > I'm trying to chroot apache 2 within the path /chroot.
    >
    > I've satisfied the dev, lib and bin dependencies (or at least I don't
    > get any error messages about them on the console or in logs). I also
    > created (physical) /chroot/etc/passwd containing one line
    > (www:x:1001:1001:www:/dev/null:/bin/false) and (physical)
    > /chroot/etc/group containing one line (www:x:1001:www). In httpd.conf,
    > I set the User and Group directives to www.
    >
    > When I run "chroot /chroot /bin/httpd", however, I get "httpd: bad user
    > name www".
    >


    Got an nsswitch.conf in your /chroot/etc?

    Got all the nss libs installed?

    C.

  4. Re: chroot noob and apache

    Thanks for your help. Colin, you pointed me in the right direction. I
    had nsswitch.conf and the nss_files lib, but my chrooted nsswitch.conf
    was looking for "compat" for password, group and shadow. I switched
    them to "files" and presto-chango, the chrooted filesystem works.

    Excuse me while I kick myself for overlooking the (in hindsight)
    obvious.


+ Reply to Thread