Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

29.19. The /chroot/etc directory

You will also need /etc/resolv.conf, /etc/nsswitch.conf and /etc/hosts files in your chroot jail. [root@deep ]/# cp /etc/resolv.conf /chroot/httpd/etc/ [root@deep ]/# cp /etc/hosts /chroot/httpd/etc/ [root@deep ]/# cp /etc/nsswitch.conf /chroot/httpd/etc/

  1. Now we must set some files in the chroot jail directory immutable for better security.

    1. Set the immutable bit on passwd file:
                    [root@deep ]/# cd /chroot/httpd/etc/
                    [root@deep ]/# chattr  +i passwd
                  

    2. Set the immutable bit on group file:
                  [root@deep ]/# cd /chroot/httpd/etc/
                  [root@deep ]/# chattr  +i group
                

    3. Set the immutable bit on httpd.conf file:
                    [root@deep ]/# cd /chroot/httpd/etc/httpd/conf/
                    [root@deep ]/# chattr  +i httpd.conf
                  

    4. Set the immutable bit on resolv.conf file:
                    [root@deep ]/# cd /chroot/httpd/etc/
                    [root@deep ]/# chattr  +i resolv.conf
                  

    5. Set the immutable bit on hosts file:
                  [root@deep ]/# cd /chroot/httpd/etc/
                  [root@deep ]/# chattr  +i hosts
                
      Set the immutable bit on nsswitch.conf file:
                [root@deep ]/# cd /chroot/httpd/etc/
                [root@deep ]/# chattr  +i nsswitch.conf
                

  2. Copy the localtime file to the jail so that log entries are adjusted for your local timezone properly:
              [root@deep ]/# cp /etc/localtime /chroot/httpd/etc/
            

  3. Remove unnecessary Apache files and directories:
              [root@deep ]/# rm -rf /var/log/httpd/
              [root@deep ]/# rm -rf /etc/httpd/
              [root@deep ]/# rm -rf /home/httpd/
              [root@deep ]/# rm -f  /usr/sbin/httpd
            
    We can remove safely all of the above files and directories since they are now located under our chroot jail directory.

  4. Normally, processes talk to syslogd through /dev/log. As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to /chroot/httpd/dev/log. To do this, edit the syslog startup script, vi /etc/rc.d/init.d/syslog to specify additional places to listen.
              daemon syslogd -m 0
            
    To read:
              daemon syslogd -m 0 -a /chroot/httpd/dev/log
            

  5. The default httpd script file of Apache starts the daemon httpd outside the chroot jail. We must change it to now start httpd from the chroot jail.

    1. Edit the httpd script file, vi /etc/rc.d/init.d/httpd and change the line:
                    daemon httpd
                  
      To read:
                    /usr/sbin/chroot /chroot/httpd/ /usr/sbin/httpd -DSSL
                  

    2.               rm -f  /var/run/httpd.pid
                  
      To read:
                    rm -f  /chroot/httpd/var/run/httpd.pid
                  

 
 
  Published under the terms of the Open Publication License Design by Interspire