0

Recently I'm being told that a user has my system 'shelled.' While there hasn't been any unusual activity or errors in Apache error log, etc.. I'd rather be safe than sorry.

So: If I run chroot Apache, will it prevent shell scripts being able to retrieve sensitive info? I.e. being able to do a mysqldump or anything of the sort regardless if the configuration files with the database details are in the apache jail?

Thanks

Tar
  • 265
  • 4
  • 11
  • Sorry to be so blunt, but if you have to ask this question, you should not be running a public-facing server yet. – Simon Richter Jun 05 '12 at 08:26
  • lol 12characters – Tar Jun 05 '12 at 08:57
  • I'm sure that there was a day when you didn't know everything @SimonRichter. If he's running a little web blog and trying to chroot it, more power to him. – capitalaudience.com Jul 08 '16 at 16:53
  • @EcommerceConsultant, that's why I said "yet". To run a reasonably secure server, you need to understand all its components, how they interact and where their weaknesses are; you need to stay on top of security advisories affecting the software you run, and you need to be able to find out whether unauthorized things are going on and how to stop them. Yes, that takes a bit of learning, e.g. setting up a small home server. – Simon Richter Jul 09 '16 at 00:42

2 Answers2

1

Well it would rise the level of security of the Apache instance :) . And as far as I know even with chroot the scripts can still be executed (depending on what other methods you have in place )

Please have a look here http://www.petefreitag.com/item/505.cfm (20 quick measures to secure your apache instance ) . You can find more about securing Apache here http://www.amazon.com/Apache-Security-Ivan-Ristic/dp/0596007248/ref=sr_1_1?ie=UTF8&qid=1338881835&sr=8-1 .

Depending on your environment and on how important / exposed is the apache I would take several measure not only chroot .

Alex H
  • 1,814
  • 11
  • 18
1

chrooting will prevent access to most tools (i.e. /bin/ /sbin/ etc.) and devices, but if you are using mysql via a unix socket you will still need to expose that socket in apaches chroot. chrooting won't prevent access to the local TCP port either.

If your goal is to prevent local execution by apache, I suggest using selinux. There are many documents describing this, but I prefer Fedoras apache setup [1] or the more general Centos wiki [2]

[1] http://fedoraproject.org/wiki/SELinux/apache [2] http://wiki.centos.org/HowTos/SELinux

Tommy
  • 331
  • 1
  • 7
  • In fact, what `chroot` is preventing is having permanent modifications outside of the new root being made to the system. It does by no means prevent code execution or restricts network connectivity, so given a scenario where a chrooted shell user is able to get to an own version of `mysql(dump)` alongside with database credentials, he *would* be able to access the database regardless of the chroot. SELinux is indeed more flexible in this regard, but also significantly more complex to configure. – the-wabbit Jun 05 '12 at 11:56