Is it advisable to run Apache in a chroot jail

apache-2.2chroot

I have been advised by a sysadmin guy I know, to run Apache in a chroot jail, for increased security.

I have the following questions:

Is this advisable (i.e. are there any 'gotcha's that I need to be aware of) ?
Does running Apache in a chroot jail affect its ability issues like performance and scalability?

He also advised that I run my databases (mySQL and PostgreSQL), in separate chroot jails.

Is this something that is often done in production systems

[Edit]

Forgot to say, Server is running on Ubuntu 8.04 LTS

Best Answer

Chrooting is a good security measure, it limits the possibilities to compromise the system in case of a successfull exploit but there are also ways in some case to evade from a chroot, so it is not a definitive way to protect the system.

I'm not aware of any disavantage regarding performance and scalability. Concerning database access, it is generaly done with a link to the socket inside the chroot this way you don't have to open any networking port for database connectivity.

EDIT: below is a sample for mysql access taken from an OpenBSD rc.local (OpenBSD chrooted httpd)

if [ X"${mysql_server_flags-NO}" != X"NO" -a -x /usr/local/bin/mysqld_safe ]; then
        rm -R /var/www/var/run/mysql
        mkdir -p /var/www/var/run/mysql
        chown _mysql:_mysql   /var/www/var/run/mysql
        echo -n 'MySQL server: '; /usr/local/bin/mysqld_safe --user=_mysql ${mysql_server_flags} &
        sleep 10
        ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi

Hope this helps.

Related Solutions

Ubuntu – can non-root user run process in chroot jail

On Linux the chroot(2) system call can only be made by a process that is privileged. The capability the process needs is CAP_SYS_CHROOT.

The reason you can't chroot as a user is pretty simple. Assume you have a setuid program such as sudo that checks /etc/sudoers if you are allowed to do something. Now put it in a chroot chroot with your own /etc/sudoers. Suddenly you have an instant privilege escalation.

It is possible to design a program to chroot itself and run it as a setuid process, but this is generally considered bad design. The extra security of the chroot does not motivate the security issues with the setuid.

Security – When is it not worth putting Apache in a chroot jail

Chroot provides a small bit of security to provide a speed-bump for an attacker. If you have a vulnerability in apache/CGIs, an attacker has to escape the chroot jail. Automated attacks are less likely to try to do this, but if there is a known kernel exploit and the requirements for that exploit are obtainable in the chrooted environment, you are hosed.

SELinux provides are larger bit of security, but the implementation pain is not to be sneezed at. For simple cases there might be pre-canned SELinux policies for you, but if you are doing weird/custom stuff you will need to extend them yourself. This is not terribly difficult if you have the selinux development RPMs loaded. Start out in non-enforcing mode, exercise your system completely, and then run:

audit2allow -a -l -R -m foo -o foo.te

That will help you develop your custom policies.

A similar step to SELinux is GRSecurity. It is less standard but is probably a little more secure the SELinux and possibly a little easier to use, though with less random people on the internet being able to help you.

Another approach is to run the web server in a VM. This gives you a bit more security but attacks have been known to be able to escape a VM environment. These would most likely be very determined attackers, though, not your normal script kiddy.

Best Answer

Related Solutions

Ubuntu – can non-root user run process in chroot jail

Security – When is it not worth putting Apache in a chroot jail

Related Topic