Running Apache in Jail

[sukishan]

Running Apache in Jail
Many system administrators hesitate to carry out Chroot jails. Indeed, this can be a formidable task, particularly if you also have to jail a database and several scripting languages. Mobily explains the task in his book, including the details of getting Perl and PHP to work with Apache in jail.

Chroot jails create a quasi-root sector on a server, so, if they're compromised, the compromising attacker is exclusively jailed within a subset of directories and not the true root file system. This is due to the program's inclusion of a command shell, "believing '/', which refers to that particular sector of the file system -- not the true server root.

The challenge lies in getting all of the required library files in place in the jail, which is necessary even to run a simple bash shell. Mobily makes the process less painful with his coverage here.

"You may think it's weird to have a server where most of the files are in a 'cage'," Mobily commented. "People might wonder: what difference does it make? Why bother with the cage at all? Well, the point is that even though all the information in the cage may be compromised, you can still be fairly sure that the server itself hasn't been modified, doesn't contain a nasty root kit, and so on (not through Apache anyway)."

"If you realize that you were cracked, you can simply explode a tar file from backup (possibly a very big one!) with the content of the whole chroot jail (of course, you'd be creating a daily copy of this file), and then analyze your log files to find out who made the attack and how. The equivalent, at server level, is a complete reinstallation -- which is a much more painful and time-consuming process!"