I am trying to chroot the apache-ssl process (from the apache-ssl package) version 1.3.26 using Debian Woody as the environment.
but when I execute:
chroot /chroot/apache-ssl /usr/sbin/apache-ssl
I ge the following error:
apache-ssl: bad user name www-data
Which is something I didn't expect.
My chroot directory is /chroot/apache-ssl/
and there exists a /chroot/apache-ssl/etc/passwd file that has both a www-data entry and a nobody entry.
Like so:
www-data:x:33:33:www-data:/var/www:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
Which I thought would be sufficent to avoid a problem like this.
but just to make sure there are also passwd-, group, group-, gshadow, gshadow-, shadow, and shadow- files that have a similar reduced number of entries.
Is there something I am missing?
Thanks,
Jason
I am including my log of steps taken during the chroot process. If you want more information please contact me. Thanks for any help or insight you can provide.
apache-ssl:
- apt-get install apache-ssl
State: Minnesota
Locality: Minneapolis
Organization: [censored]
Unit: Web Services
Server Name: [censored]
Email: [censored]
Set ServerName in /etc/apache-ssl/httpd.conf
Disable all but the following modules:
- LoadModule config_log_module /usr/lib/apache/1.3/mod_log_config_ssl.so
LoadModule mime_module /usr/lib/apache/1.3/mod_mime_ssl.so
LoadModule negotiation_module /usr/lib/apache/1.3/mod_negotiation.so
LoadModule status_module /usr/lib/apache/1.3/mod_status.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule access_module /usr/lib/apache/1.3/mod_access.so
LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so
LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so
Disable Icon Alias and ScriptAlias
CHRoot Server:
- mkdir /chroot/apache-ssl
mkdir dev
mkdir etc
mkdir var
mkdir lib
mkdir var/run
mkdir -p usr/lib
mkdir usr/lib/apache-ssl
mkdir usr/lib/apache-ssl/1.3
mkdir -p usr/libexec
mkdir -p var/www
mkdir -p var/log/apache-ssl
mkdir -p etc/apache-ssl
mkdir -p usr/sbin
ls -al /dev/null
mknod /chroot/apache-ssl/dev/null c 1 3 (1 3 from major/minor from ls -al)
chown root:sys /chroot/apache-ssl/dev/null
chmod 666 /chroot/apache-ssl/dev/null
- SYSLOGD="-r -a /chroot/apache-ssl/dev/log"
- cp /usr/sbin/apache-ssl /chroot/apache-ssl/usr/sbin/
cp /usr/lib/apache-ssl/suexec /chroot/apache-ssl/usr/lib/apache-ssl/suexec
- cp /lib/libm.so.6 /chroot/apache-ssl/lib/libm.so.6
cp /lib/libcrypt.so.1 /chroot/apache-ssl/lib/
cp /lib/libdb.so.2 /chroot/apache-ssl/lib/
cp /lib/libdb2.so.2 /chroot/apache-ssl/lib/
cp /usr/lib/libexpat.so.1 /chroot/apache-ssl/usr/lib/
cp /lib/libd1.so.2 /chroot/apache-ssl/lib/
cp /lib/libdl.so.2 /chroot/apache-ssl/lib/
cp /usr/lib/libssl.so.0.9.6 /chroot/apache-ssl/usr/lib/
cp /usr/lib/libcrypto.so.0.9.6 /chroot/apache-ssl/usr/lib/
cp /lib/libc.so.6 /chroot/apache-ssl/lib/
cp /lib/ld-linux.so.2 /chroot/apache-ssl/lib/
cp /lib/ld-2.2.5.so /chroot/apache-ssl/lib/
cp /usr/lib/apache/1.3/mod_log_config_ssl.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_mime_ssl.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_negotiation.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_status.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_dir.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_userdir.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_access.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/mod_auth_ssl.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /usr/lib/apache/1.3/libssl.so /chroot/apache-ssl/usr/lib/apache/1.3/
cp /lib/libnss_compat-2.2.5.so /chroot/apache-ssl/lib/
cp /lib/libnsl-2.2.5.so /chroot/apache-ssl/lib/
- cp /etc/hosts /chroot/apache-ssl/etc/
cp /etc/host.conf /chroot/apache-ssl/etc/
cp /etc/resolv.conf /chroot/apache-ssl/etc/
cp /etc/group /chroot/apache-ssl/etc/
cp /etc/group- /chroot/apache-ssl/etc/
cp /etc/gshadow /chroot/apache-ssl/etc/
cp /etc/gshadow- /chroot/apache-ssl/etc/
cp /etc/passwd /chroot/apache-ssl/etc/
cp /etc/passwd- /chroot/apache-ssl/etc/
cp /etc/shadow /chroot/apache-ssl/etc/
cp /etc/shadow- /chroot/apache-ssl/etc/
cp /etc/apache-ssl/mime.types /chroot/apache-ssl/etc/apache-ssl/
cp /etc/apache-ssl/httpd.conf /chroot/apache-ssl/etc/apache-ssl/
Remove all but www-data and nobody from passwd, shadow, and group
start chrooted server:
- chroot /chroot/apache-ssl /usr/sbin/apache-ssl
Replace in /etc/logrotate.d/apache-ssl /var/log/apache-ssl/*.log with /var/chroot/apache-ssl/var/log/apache-ssl/*.log
