Re: [mod-security-users] questions about chrooting

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

posorio7 wrote:

> Hello, I'm having a hell of a time trying to get apache to run in jail
> using mod_security. Using Fedora Core 1, Apache 1.3.32, mod_security
> 1.8.5, and mod_ssl.
> 
> First of all, what should the chroot path be exactly? Should it be
> under the users (/home) or elsewhere? What directories, if any, do I
> need to create there, and do I need to chmod anything?

  We can't give you a definite answer. You can use anything as the
  chroot path as long as you configure everything else properly.

  Below is a step-by-step guide that worked for me.

-----------------------------------------------
   1. Installed Apache + mod_ssl to /usr/local/apache

   2. Made sure it works

   3. Downloaded mod_security from the web site and
      did: /usr/local/apache/bin/apxs -cia mod_security.c

   4. /usr/local/apache/bin/apachectl stop

   5. Changed the module order, as per the manual. It now
      looks like this:

--
ClearModuleList
AddModule mod_security.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_ssl.c
--

   6. mkdir -p /chroot/apache/usr/local

   7. mv /usr/local/apache /chroot/apache/usr/local

   8. cd /usr/local; ln -s /chroot/apache/usr/local/apache

   9. Configured mod_security with:
      SecChrootDir /chroot/apache

  10. /usr/local/apache/bin/apachectl startssl

  It works!  :)
-----------------------------------------------

> Next is with mod_ssl. 
> I get this error many times (several times per second actually) when
> restarting with the chroot enabled:
> 
> [error] mod_ssl: Child could not open SSLMutex lockfile
> /usr/local/apache/logs/ssl_mutex.15168 (System error follows)
> [error] System: No such file or directory (errno: 2)

  The path /usr/local/apache/logs/ does not exist in the jail. E.g.
  if your chroot path is /chroot you need to make sure
  /chroot/usr/local/apache/logs exists.

  You also need to take care about the module ordering (if you haven't
  done that already) as documented in the manual.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]