This article begins series of posts which are meant to create very SECURE but also easy to manage web server on Linux box. I start from default Debian 6.0 Stable installation and move on configuring various parts of the system.
We start from:
APACHE - PUTTING IT IN CHROOT JAIL
# compile apache2
./configure --prefix=/usr/local/apache --disable-userdir --disable-include
make
make install
# prepare new root environment for apache
mkdir -p /srv/chroot/apache/
# create /usr/local directory in new environment
mkdir -p /srv/chroot/apache/usr/local
# move built and installed apache to new environment
mv /usr/local/apache /srv/chroot/apache/usr/local
# link it under old installation directory for easy updates
ln -s /srv/chroot/apache/usr/local/apache /usr/local/apache
# stisfy all apache's library dependencies by copying it to new /lib directory
mkdir -p /srv/chroot/apache/lib
ldd /chroot/apache/usr/local/apache/bin/httpd
(copy it to new /lib)
# copy strace (and it's dependencies) for debug purposes (remove it in production)
mkdir -p /srv/chroot/apache/bin
cp `which strace` /srv/chroot/apache/bin
ldd `which strace`
(copy it to new /lib)
# first launch (with strace), probably something will be missing
chroot /srv/chroot/apache /bin/strace /usr/local/apache/bin/httpd
# name resolution
mkdir -p /srv/chroot/apache/etc
cp /etc/nsswitch.conf /srv/chroot/apache/etc/ #make sure that access to passwd is set to 'files'
cp /lib/libnss_files.so.2 /srv/chroot/apache/lib
# dns name resolution
cp /lib/libnss_dns.so.2 /srv/chroot/apache/lib
cp /etc/hosts /srv/chroot/apache/etc
cp /etc/resolv.conf /srv/chroot/apache/etc
# create special devices which apache uses
mkdir /srv/chroot/apache/dev
mknod -m 666 /srv/chroot/apache/dev/null c 1 3
mknod -m 666 /chroot/apache/dev/zero c 1 5
mknod -m 644 /chroot/apache/dev/random c 1 8
# create /tmp directory
mkdir /srv/chroot/apache/tmp
chmod +t /srv/chroot/apache/tmp
chmod 777 /srv/chroot/apache/tmp
# create /etc/passwd & /etc/group files
echo "www-data:x:33:33:Apache:/:/sbin/nologin" > /srv/chroot/apache/etc/passwd
echo "www-data:x:33:" > /srv/chroot/apache/etc/group
# prepare /var directory in new environment (in jail) for test-site
mkdir -p /srv/chroot/apache/var/www
cd /srv/chroot/apache/var/www
mkdir -p test-site/bin
mkdir -p test-site/cgi-bin
mkdir -p test-site/data
mkdir -p test-site/htdocs
mkdir -p test-site/logs
# link it for easier updates of future web applications
ln -s /srv/chroot/apache/var/www /var/www
# second launch, now it should start, if not, use strace to find out why
chroot /srv/chroot/apache /usr/local/apache/bin/httpd
APACHE - PRELIMINARY HARDENING
# proper files & directories privilages
chown -R root:root /usr/local/apache
find /srv/chroot/apache/usr/local/apache -type d | xargs chmod 755
find /srv/chroot/apache/usr/local/apache -type d | xargs chmod g-s
find /srv/chroot/apache/usr/local/apache -type f | xargs chmod 644
find /srv/chroot/apache/usr/local/apache/bin -type f | xargs chmod 744
# configuration and logs can be read only by root
chmod -R go-r /srv/chroot/apache/usr/local/apache/conf
chmod -R go-r /srv/chroot/apache/var/www/site-test/logs