Securing and Optimizing Linux: RedHat Edition -A Hands on Guide | ||
---|---|---|
Prev | Chapter 29. Software -Network Server, web/Apache | Next |
Since we have compiled apache to use shared libraries, we need to install them into the chroot directory structure. Use ldd /chroot/httpd/usr/sbin/httpd to find out which libraries are needed. The output, depending on what you've compiled with Apache will be something similar to:
libpam.so.0 =>/lib/libpam.so.0 (0x40016000) libm.so.6 =>/lib/libm.so.6 (0x4001f000) libdl.so.2 =>/lib/libdl.so.2 (0x4003b000) libcrypt.so.1 =>/lib/libcrypt.so.1 (0x4003e000) libnsl.so.1 =>/lib/libnsl.so.1 (0x4006b000) libresolv.so.2 =>/lib/libresolv.so.2 (0x40081000) libdb.so.3 =>/lib/libdb.so.3 (0x40090000) libc.so.6 =>/lib/libc.so.6 (0x400cb000) /lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000) |
Copy the shared libraries identified above:
[root@deep ]/# cp /lib/libpam.so.0 /chroot/httpd/lib/ [root@deep ]/# cp /lib/libm.so.6 /chroot/httpd/lib/ [root@deep ]/# cp /lib/libdl.so.2 /chroot/httpd/lib/ [root@deep ]/# cp /lib/libcrypt.so.1 /chroot/httpd/lib/ [root@deep ]/# cp /lib/libnsl* /chroot/httpd/lib/ [root@deep ]/# cp /lib/libresolv* /chroot/httpd/lib/ [root@deep ]/# cp /lib/libdb.so.3 /chroot/httpd/lib/ [root@deep ]/# cp /lib/libc.so.6 /chroot/httpd/lib/ [root@deep ]/# cp /lib/ld-linux.so.2 /chroot/httpd/lib/ |
You'll also need the following extra libraries for some network functions, like resolving:
[root@deep ]/# cp /lib/libnss_compat* /chroot/httpd/lib/ [root@deep ]/# cp /lib/libnss_dns* /chroot/httpd/lib/ [root@deep ]/# cp /lib/libnss_files* /chroot/httpd/lib/ |
We now need to copy the passwd and group files inside the /chroot/httpd/etc chrooted directory. The concept here is the same as how ftpd uses passwd and group files. Next, we'll remove all entries except for the user that apache runs as in both files passwd and group.
[root@deep ]/# cp /etc/passwd /chroot/httpd/etc/ [root@deep ]/# cp /etc/group /chroot/httpd/etc/ |
Edit the passwd file, vi /chroot/httpd/etc/passwd and delete all entries except for the user apache run as in our configuration, it's www:
www:x:80:80::/home/www:/bin/bash |
Edit the group file, vi /chroot/httpd/etc/group and delete all entries except the group apache run as, in our configuration it,s www:
www:x:80: |