How to chroot HTTPD configuration & installation

apache chroot

A chroot HTTPD setup creates a separate disk root directory for the Apache and its child processes, preventing attackers or other php/perl/python scripts from accessing or naming files outside of that directory. For Apache/HTTPD, this is known as a chroot jail.

  • For Apache installation, create a base/root directory of your choice. The Apache chroot installation directory is /usr/chroot/apache in this article.

# mkdir /usr/chroot/apache
# BASE=/usr/chroot/apache

  • In the Apache chroot directory /usr/chroot/apache, initialize a rpm database.

# rpm --root /usr/chroot/apache --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centos-*

  • Install the centos-release package to the Apache chroot directory by downloading it to /var/tmp.

# yumdownloader --destdir=/var/tmp centos-release*
# rpm --root /usr/chroot/apache -ivh --nodeps /var/tmp/centos-release*

  • Import the GPG public key into the Apache chroot directory.

# rpm --root /usr/chroot/apache --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centos-*

Install the elfutils-libs package to /usr/chroot/apache. mod systemd.so (/usr/chroot/apache/etc/httpd/conf.modules.d/00-systemd.conf) requires this package.

# yum --installroot=/usr/chroot/apache -y install elfutils-libs

  • Install the coreutils package that Apache requires.

# yum --installroot=/usr/chroot/apache -y install coreutils

  • Copy the random and urandom files from /dev to /usr/chroot/apache/dev, which httpd uses to generate random keys.

# cp -a /dev/urandom /dev/random /usr/chroot/apache/dev

  • As shown below, create a modified systemd Unit file for HTTPD and save it to /etc/systemd/system/httpd.service.

# more /etc/systemd/system/httpd.service
[Unit] Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)

[Service] Type=forking
EnvironmentFile=/usr/chroot/apache/etc/sysconfig/httpd
ExecStart=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k start
ExecReload=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k graceful
ExecStop=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k stop
KillSignal=SIGCONT
PrivateTmp=true
[Install] WantedBy=multi-user.target

  • Execute the following instructions to enable Apache to start automatically at boot time and then restart Apache.

# systemctl enable httpd
# systemctl start httpd
# systemctl status httpd

Leave a Reply

Your email address will not be published. Required fields are marked *