faqts : Computers : Programming : Languages : PHP : Database Backed Sites : MySQL

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

28 of 38 people (74%) answered Yes
Recently 5 of 10 people (50%) answered Yes

Entry

How can I run Apache and PHP in a chroot environment?
Can I connect to MySQL when running in a chroot environment?

Jul 6th, 1999 20:37
Nathan Wallace, Kim Shrier
 


It is fairly easy to get Apache with PHP running in a chrooted
environment. I give the chrooted web server its own IP address, that
way, the Apache server can be bound to its own address and only serve
those requests. You will need to copy all the Apache files into the
chrooted area as well as any dynamic libraries you might need.  Once
Apache is running chrooted, it doesn't know about the real file system
anymore so all the directives in httpd.conf which specify file names
have to be relative to the new root.

As far as connecting to mysql is concerned, you just connect to it in
the normal way by specifying the IP address of the mysql server.

For example, I use a setup similar to this:

        new root:       /var/virtual
        Apache files:   /var/virtual/usr/local/apache
        Apache config:  /var/virtual/usr/local/apache/conf/httpd.conf
        Apache daemon:  /var/virtual/usr/local/apache/libexec/httpd
        dynamic libs:   /var/virtual/usr/lib
        sendmail:       /var/virtual/usr/sbin/sendmail
        document root:  /var/virtual/var/www/htdocs
        cgi-bin:        /var/virtual/var/www/cgi-bin
        php files:      /var/virtual/var/www/php
        icons:          /var/virtual/var/www/icons

If you are going to be using the exec, system, passthru, or mail
functions, you will need a shell in the chrooted area:

        shell:          /var/virtual/bin/sh

You will need some files in /etc like resolv.conf, protocols, and
localtime so that your chrooted programs will know how to look up domain
names and know what time it is.  You will also need a password file and
group file, and I strongly recommend that all the password fields be set
to "*" to prevent people from being able to log in to the chrooted
environment. Also, I recommend that you take everything out of the
passwd file you don't need so that it only has entries for root, bin,
daemon, ftp, nobody, and any other users that you need.  If you will be
using sendmail, you will need a sendmail.cf file in /etc as well.  So
your chrooted /etc will have:

        /var/virtual/etc/group
        /var/virtual/etc/localtime
        /var/virtual/etc/passwd
        /var/virtual/etc/protocols
        /var/virtual/etc/resolv.conf
        /var/virtual/etc/sendmail.cf
        /var/virtual/etc/services

So, assuming that you have apache compiled to know where his
configuration file is (/usr/local/apache/conf/httdp.conf), you can start
up the server with the following command:

        chroot /var/virtual /usr/local/apache/libexec/httpd
        

For uploading files, use the chroot capability that is built into your
FTP server.  I usually set up special users that don't have real shells
so they cannot telnet into the server.  I also specify their home
directory to be /var/virtual/var/www/htdocs.  The FTP daemon will chroot
them to their home directory so that they can only get access to the
web pages.  If you trust these users and they need to be able to
upload cgi's or php scripts then you would set their home directory to
/var/virtual/var/www.  However, since FTP passwords go across the net
in clear text, you are vulnerable to sniffers.