[[Chroot]]
 
Trace: » GeoIP » NTP » Disable IPv6 » RAID » Configure » Linux » LAMP server HOWTO » SSL » Web services » Chroot
You are here: LAMP server HOWTO » Web services » Chroot

Chroot

We will run the web server and the web proxy in a common chroot environment, what is in this sample the /var/www directory. 

mkdir /var/www/bin
mkdir /var/www/dev
mkdir /var/www/etc
mkdir /var/www/lib
mkdir /var/www/sec_data
mkdir /var/www/sessions
mkdir /var/www/tmp
mkdir /var/www/upload
mkdir /var/www/usr
mkdir /var/www/var

mkdir /var/www/var/DocRoot
mkdir /var/www/var/lock
mkdir /var/www/var/log
mkdir /var/www/var/run

mkdir -p /var/www/usr/share/GeoIP

chown www-data:www-data /var/www/sec_data/ /var/www/sessions/ /var/www/upload/
chmod 0700 /var/www/sec_data/ /var/www/sessions/ /var/www/upload/
chmod 01777 /var/www/tmp/

cd /var/www/usr
ln -s ../lib/usr_lib lib
ln -s ../bin/usr_bin bin
ln -s ../bin/usr_sbin sbin

We will keep some directories on RAM disk in runtime. The content of RAM disks located on /usr/local/chroot.web. 

mkdir /usr/local/chroot.web
chmod 0700 /usr/local/chroot.web

mkdir /usr/local/chroot.web/bin
touch /usr/local/chroot.web/bin/do_not_remove

mkdir /usr/local/chroot.web/dev
cd /usr/local/chroot.web/dev
mknod -m 0666 null c 1 3
mknod -m 0666 random c 1 8
mknod -m 0666 urandom c 1 9
mknod -m 0666 zero c 1 5

mkdir /usr/local/chroot.web/etc
cd /usr/local/chroot.web/etc
ln -s /etc/host.conf
ln -s /etc/hostname
ln -s /etc/hosts
ln -s /etc/ld.so.cache
ln -s /usr/share/zoneinfo/Europe/Budapest localtime
ln -s /etc/mime.types
ln -s /etc/nginx
ln -s /etc/nsswitch.conf
ln -s /etc/resolv.conf
ln -s /etc/timezone

mkdir /usr/local/chroot.web/lib
cd /usr/local/chroot.web/lib
ln -s /lib/ld-linux.so.2
ln -s /lib/libc.so.6
ln -s /lib/libnsl.so.1
ln -s /lib/libnss_compat.so.2
ln -s /lib/libnss_dns.so.2
ln -s /lib/libnss_files.so.2
ln -s /lib/libnss_nis.so.2
mkdir -p tls/i686/cmov/
cd ./tls/i686/cmov/
ln -s /lib/tls/i686/cmov/libcrypt.so.1
ln -s /lib/tls/i686/cmov/libc.so.6
ln -s /lib/tls/i686/cmov/libdl.so.2
ln -s /lib/tls/i686/cmov/libnsl.so.1
ln -s /lib/tls/i686/cmov/libnss_compat.so.2
ln -s /lib/tls/i686/cmov/libnss_dns.so.2
ln -s /lib/tls/i686/cmov/libnss_files.so.2
ln -s /lib/tls/i686/cmov/libnss_nis.so.2

mkdir -p /usr/local/chroot.web/usr/lib
cd /usr/local/chroot.web/usr/lib
ln -s /usr/lib/libpcre.so.3
ln -s /usr/lib/libz.so.1
mkdir -p /usr/local/chroot.web/usr/lib/i686/cmov/
ln -s /usr/lib/i686/cmov/libcrypto.so.0.9.8 /usr/local/chroot.web/usr/lib/i686/cmov/libcrypto.so.0.9.8
ln -s /usr/lib/i686/cmov/libssl.so.0.9.8 /usr/local/chroot.web/usr/lib/i686/cmov/libssl.so.0.9.8
ln -s /usr/lib/locale
mkdir ssl
ln -s /usr/lib/ssl/openssl.cnf ssl/openssl.conf

mkdir /usr/local/chroot.web/usr/bin
touch /usr/local/chroot.web/usr/bin/do_not_remove

mkdir /usr/local/chroot.web/usr/sbin
ln -s /usr/sbin/nginx /usr/local/chroot.web/usr/sbin/nginx

mkdir -p /usr/local/chroot.web/usr/share/i18n/locales
ln -s /usr/share/i18n/locales/hu_HU /usr/local/chroot.web/usr/share/i18n/locales/

mkdir -p /usr/local/chroot.web/usr/share/zoneinfo/Europe
ln -s /usr/share/zoneinfo/Europe/Budapest /usr/local/chroot.web/usr/share/zoneinfo/Europe/Budapest
ln -s /usr/share/zoneinfo/Europe/Berlin /usr/local/chroot.web/usr/share/zoneinfo/Europe/Berlin
ln -s /etc/localtime /usr/local/chroot.web/usr/share/zoneinfo/localtime

/etc/fstab 

# Chroot
chrootlock              /var/www/var/lock       tmpfs           nodev,nosuid,noexec,mode=1777   0       0
chrootrun               /var/www/var/run        tmpfs           nodev,nosuid,noexec,mode=0755   0       0

# RAM disks
/dev/ram0               /var/www/bin            ext2            nodev,nosuid,noauto,nouser,async        0       0
/dev/ram1               /var/www/dev            ext2            nosuid,noexec,noauto,nouser,async       0       0
/dev/ram2               /var/www/etc            ext2            nodev,nosuid,noexec,noauto,nouser,async 0       0
/dev/ram3               /var/www/lib            ext2            nodev,nosuid,noauto,nouser,async        0       0

# binds
/tmp/chroot/sec_data    /var/www/sec_data       none            bind,noauto
/tmp/chroot/sessions    /var/www/sessions       none            bind,noauto
/tmp/chroot/tmp         /var/www/tmp            none            bind,noauto
/tmp/chroot/upload      /var/www/upload         none            bind,noauto
/tmp/chroot/var_tmp     /var/tmp                none            bind,noauto

/etc/rc.local 

# Remount shm
echo " - SHM"
/bin/mount /dev/shm -o remount,ro

# /tmp & /sessions for chroot
if [ ! -d /tmp/chroot ]; then
    echo " - /tmp & /sessions"
    /bin/rm -f -r /tmp/chroot
    /bin/mkdir /tmp/chroot
    /bin/chmod 0700 /tmp/chroot

    if [ ! -d /tmp/chroot/sec_data ]; then
        /bin/mkdir /tmp/chroot/sec_data
        /bin/chown www-data:www-data /tmp/chroot/sec_data
        /bin/chmod 0700 /tmp/chroot/sec_data
        /bin/mount /var/www/sec_data
    fi
    if [ ! -d /tmp/chroot/sessions ]; then
        /bin/mkdir /tmp/chroot/sessions
        /bin/chown www-data:www-data /tmp/chroot/sessions
        /bin/chmod 0700 /tmp/chroot/sessions
        /bin/mount /var/www/sessions
    fi
    if [ ! -d /tmp/chroot/tmp ]; then
        /bin/mkdir /tmp/chroot/tmp
        /bin/chmod 01777 /tmp/chroot/tmp
        /bin/mount /var/www/tmp
    fi
    if [ ! -d /tmp/chroot/upload ]; then
        /bin/mkdir /tmp/chroot/upload
        /bin/chown www-data:www-data /tmp/chroot/upload
        /bin/chmod 0700 /tmp/chroot/upload
        /bin/mount /var/www/upload
    fi
    if [ ! -d /tmp/chroot/var_tmp ]; then
        /bin/mkdir /tmp/chroot/var_tmp
        /bin/chmod 01777 /tmp/chroot/var_tmp
        /bin/mount /var/tmp
    fi
fi

# RAM disks
if [ ! -f /var/www/var/run/nginx.pid ]; then
    /bin/mkdir -p /var/www/var/lock/apache2
    /bin/mkdir -p /var/www/var/run/apache2
    /bin/mkdir -p /var/www/var/run/mysqld
    /bin/chown mysql:root /var/www/var/run/mysqld
    #
    if [ -f /var/www/bin/do_not_remove ]; then
        /bin/mount /var/www/bin -o remount,rw
      else
        echo " - RAM0"
        /sbin/mke2fs -q -m 0 /dev/ram0
        /bin/mount /var/www/bin
        /bin/mkdir /var/www/bin/usr_bin
        /bin/mkdir /var/www/bin/usr_sbin
    fi
    /bin/cp -f -L -p -r /usr/local/chroot.web/bin/* /var/www/bin/
    /bin/cp -f -L -p -r /usr/local/chroot.web/usr/bin/* /var/www/bin/usr_bin/
    /bin/cp -f -L -p -r /usr/local/chroot.web/usr/sbin/* /var/www/bin/usr_sbin/
    /bin/mount /var/www/bin -o remount,ro
fi

if [ ! -e /var/www/dev/null ]; then
    echo " - RAM1"
    /sbin/mke2fs -q -m 0 /dev/ram1
    /bin/mount /var/www/dev
    /bin/cp -f -L -p -r /usr/local/chroot.web/dev/* /var/www/dev/
fi

if [ -f /var/www/etc/passwd ]; then
    /bin/mount /var/www/etc -o remount,rw
    /bin/rm -f -r /var/www/etc/nginx
  else
    echo " - RAM2"
    /sbin/mke2fs -q -m 0 /dev/ram2
    /bin/mount /var/www/etc
fi
/bin/cp -f -L -p -r /usr/local/chroot.web/etc/* /var/www/etc/
/bin/chown www-proxy:www-proxy /var/www/etc/nginx/ssl/server_privkey.pem
/bin/chmod 0400 /var/www/etc/nginx/ssl/server_privkey.pem
/bin/mount /var/www/etc -o remount,ro

if [ ! -f /var/www/var/run/nginx.pid ]; then
    if [ -f /var/www/lib/ld-linux.so.2 ]; then
        /bin/mount /var/www/lib -o remount,rw
      else
        echo " - RAM3"
        /sbin/mke2fs -q -m 0 /dev/ram3
        /bin/mount /var/www/lib
        /bin/mkdir /var/www/lib/usr_lib
    fi
    /bin/cp -f -L -p -r /usr/local/chroot.web/lib/* /var/www/lib/
    /bin/cp -f -L -p -r /usr/local/chroot.web/usr/lib/* /var/www/lib/usr_lib/
    /bin/mount /var/www/lib -o remount,ro
fi

/etc/init.d/rc.local 

case "$1" in
    start)
        do_start
        ;;
    restart|reload|force-reload)
#        echo "Error: argument '$1' not supported" >&2
#        exit 3
        do_start
        ;;
    stop)
        ;;
    *)
        echo "Usage: $0 start|stop" >&2
        exit 3
        ;;
esac
 
Logged in as: Oszkár Kmetti
web/chroot.txt · Last modified: 2009.03.18 20:13 by oszi
 
Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki