A chroot HTTPD setup creates a separate disk root directory for the Apache and its child processes, preventing attackers or other php/perl/python scripts from accessing or naming files outside of that directory. For Apache/HTTPD, this is known as a chroot jail.

For Apache installation, create a base/root directory of your choice. The Apache chroot installation directory is /usr/chroot/apache in this article.

# mkdir /usr/chroot/apache # BASE=/usr/chroot/apache

In the Apache chroot directory /usr/chroot/apache, initialize a rpm database.

# rpm --root /usr/chroot/apache --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centos-*

Install the centos-release package to the Apache chroot directory by downloading it to /var/tmp.

# yumdownloader --destdir=/var/tmp centos-release* # rpm --root /usr/chroot/apache -ivh --nodeps /var/tmp/centos-release*

Import the GPG public key into the Apache chroot directory.

# rpm --root /usr/chroot/apache --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centos-*

Install the elfutils-libs package to /usr/chroot/apache. mod systemd.so (/usr/chroot/apache/etc/httpd/conf.modules.d/00-systemd.conf) requires this package.

# yum --installroot=/usr/chroot/apache -y install elfutils-libs

Install the coreutils package that Apache requires.

# yum --installroot=/usr/chroot/apache -y install coreutils

Copy the random and urandom files from /dev to /usr/chroot/apache/dev, which httpd uses to generate random keys.

# cp -a /dev/urandom /dev/random /usr/chroot/apache/dev

As shown below, create a modified systemd Unit file for HTTPD and save it to /etc/systemd/system/httpd.service.

# more /etc/systemd/system/httpd.service [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target Documentation=man:httpd(8) Documentation=man:apachectl(8)

[Service] Type=forking EnvironmentFile=/usr/chroot/apache/etc/sysconfig/httpd ExecStart=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k start ExecReload=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k graceful ExecStop=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k stop KillSignal=SIGCONT PrivateTmp=true [Install] WantedBy=multi-user.target

Execute the following instructions to enable Apache to start automatically at boot time and then restart Apache.

# systemctl enable httpd # systemctl start httpd # systemctl status httpd

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How to chroot HTTPD configuration & installation

Leave a Reply Cancel reply