Tuesday, July 19, 2011

Apache Chrootdir

This week I was thing to write about the Apache web server, and things you can do with the version supplied by the rpm package in Centos or Fedora latest.

The feature of the today is Chrootdir available from Apache version 2.2.10 and as the manual says you will need to do some work to get PHP and CGI functional. This directive helps along with mod_evasive, mod_security or mod_selinux (why is this not packaged in Centos ?) in boosting your web services directly exposed to the internet.

First thing check your apache version:
[root@node1 conf]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Jul  7 2011 11:30:37


Second thing edit the apache configuration file and add the directive Chrootdir and pick a directory like so:
Chrootdir /srv

Now my  httpd.conf file is the basic one so DocumentRoot is /var/www/html thus I would need to create that inside of my /srv directory to get things serving. As root create it:
mkdir -p /srv/var/www/html

To see some php in action with this setup just do the classic index.php with the phpinfo(); inside and place that under /srv/var/www/htm. Ok this would be enough to run php, but after some googeling I found some advices about modifying php.ini moreover session.save_path. So it might worth looking into more php config customizations before going productive.

The last thing is the SELinux config, as just disabling  it would defeat my point, now what I recommend is either to run it in permissive mode or disable it temporarily do the config and enable it. To run SELinux in permissive mode just edit the /etc/selinux/config and reboot, or disable it TEMPORARILY for httpd by setsebool -P httpd_disable_trans 1, or disable it TEMPORARILY altogether with setenforce 0 (not f*** advisable). To get the current status of your SELinux settings just use one of the commands getenforce or sestatus, again I do not understand why we need more than one command to do our SELinux thingies ?

Now as the Fedora wiki page says the label we should apply  to our web content is httpd_sys_content_t, this is done by one or more commands:
chcon -v --type=httpd_sys_content_t /srv/ 
Is the one that makes more sense for me as is similar to the other chmod and chown commands.
The output will be something similar to the one below and sealert/audit log (/var/log/audit/audit.log) should not bitch anymore about any context errors.
changing security context of `/srv/var/www/html/index.php'
changing security context of `/srv/var/www/html'
changing security context of `/srv/var/www'
changing security context of `/srv/var'
changing security context of `/srv/'

1 comment: