(sidebar: It would be nice to have the chroot option for apache that OpenBSD does, if that's possible, and hence why I filed this as an enhancement. I think grsec might be giving me issues with this, but more on that later in this bug report) I've created the chroot jail for apache, and modified the startup script to run apache as a chrooted daemon, but I get an error: 18077 chdir("/home/httpd/chroot") = 0 18077 chroot("/home/httpd/chroot") = 0 18077 execve("/usr/sbin/apache", ["/usr/sbin/apache", "-D", "SSL", "-D", "PHP4"], [/* 39 vars */]) = -1 EACCES (Permission denied) (note that /home/httpd/chroot is on /home, and /home is mounted exec.) running the binary directly, I don't get an error: 1567 execve("./apache", ["./apache"], [/* 40 vars */]) = 0 1567 uname({sys="Linux", node="fedora", ...}) = 0 Here is the line I changed in /etc/init.d/apache: start() { ebegin "Starting apache" start-stop-daemon -o --quiet --start --startas /usr/sbin/apache \ -r /home/httpd/chroot \ --pidfile /var/log/apache/pid -- ${APACHE_OPTS} eend $? #--pidfile /var/run/apache.pid -- ${APACHE_OPTS} and the directory structure: # ls dev etc home lib usr var bash-2.05b# ls dev etc lib usr/sbin/ usr/lib dev: null etc: apache group nsswitch.conf passwd php4 resolv.conf lib: ld-linux.so.2 libcrypt.so.1 libm.so.6 libpthread.so.0 libc.so.6 libdl.so.2 libnsl.so.1 libresolv.so.2 usr/lib: apache libcrypt.so.1 libjpeg.so.62 libmysqlclient.so.10 libttf.so.2 apache-extramodules libcrypto.so.0.9.6 libltdl.so.3 libpdf.so.1 libxml2.so.2 libX11.so.6 libdb-3.2.so libmcrypt.so.4 libpng.so.3 libz.so.1 libXpm.so.4 libexpat.so.0 libmhash.so.2 libssl.so.0.9.6 libbz2.so.1.0 libgdbm.so.2 libmm.so.12 libt1.so.1 usr/sbin/: apache Note that I'm using mount -o bind for the actual apache stuff (this is what I usually do on solaris, except its mount -F lofs -o blahblah): /etc/apache on /home/httpd/chroot/etc/apache type none (ro,bind) /etc/php4 on /home/httpd/chroot/etc/php4 type none (ro,bind) /home/httpd/htdocs on /home/httpd/chroot/home/httpd/htdocs type none (ro,bind) /usr/lib/apache-extramodules on /home/httpd/chroot/usr/lib/apache-extramodules type none (ro,bind) /usr/lib/apache on /home/httpd/chroot/usr/lib/apache type none (ro,bind) /var/cache/apache-mm on /home/httpd/chroot/var/cache/apache-mm type none (rw,bind) /var/log/apache on /home/httpd/chroot/var/log/apache type none (rw,bind) /var/log/php4 on /home/httpd/chroot/var/log/php4 type none (rw,bind) And grsec's chroot protections are all *on* but *none* relate to preventing execve inside a chroot (apparently how -r works in /etc/init.d/apache, hence why i'm hoping that adding chroot to apache as an option could solve the problem since it would chroot *after* it execs.): x x [*] Chroot jail restrictions x x x x [*] Deny mounts x x x x [*] Deny double-chroots x x x x [*] Deny pivot_root in chroot x x x x [*] Enforce chdir("/") on all chroots x x x x [*] Deny (f)chmod +s x x x x [*] Deny fchdir out of chroot x x x x [*] Deny mknod x x x x [*] Deny shmat() out of chroot x x x x [*] Deny access to abstract AF_UNIX sockets out of chroot x x x x [*] Protect outside processes x x x x [*] Restrict priority changes x x x x [*] Deny sysctl writes in chroot x x x x [*] Capability restrictions within chroot x x
umm, this is bugs.gentoo.org, not free-technical-support.gentoo.org the apache ebuild doesnt support chroot'ing the daemon on its own. if you want to do that, then set it up yuorself. and debug it yourself.
I'm fine with the apache daemon not supporting chrooting --- I'm saying it would be a worthwhile feature add. Further, the problem still remains: when running with grsec, which doesn't affect exec functionality, the -r option of the stat-stop-daemon binary doesn't work --- or at least it doesn't work for me. Is it supposed to work? What I show below represents me trying to make it work, and saying, yo its a bug, is it something that is worth fixing, or am I missing something obvious here?