A chroot HTTPD setup creates a separate disk root directory for the Apache and its child processes, preventing attackers or other php/perl/python scripts from accessing or naming files outside of that directory. For Apache/HTTPD, this is known as a chroot jail
.
- For Apache installation, create a base/root directory of your choice. The Apache chroot installation directory is /usr/chroot/apache in this article.
# mkdir /usr/chroot/apache
# BASE=/usr/chroot/apache
- In the Apache chroot directory /usr/chroot/apache, initialize a rpm database.
# rpm --root /usr/chroot/apache --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centos-*
- Install the centos-release package to the Apache chroot directory by downloading it to /var/tmp.
# yumdownloader --destdir=/var/tmp centos-release*
# rpm --root /usr/chroot/apache -ivh --nodeps /var/tmp/centos-release*
- Import the GPG public key into the Apache chroot directory.
# rpm --root /usr/chroot/apache --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centos-*
Install the elfutils-libs package to /usr/chroot/apache. mod systemd.so (/usr/chroot/apache/etc/httpd/conf.modules.d/00-systemd.conf) requires this package.
# yum --installroot=/usr/chroot/apache -y install elfutils-libs
- Install the coreutils package that Apache requires.
# yum --installroot=/usr/chroot/apache -y install coreutils
- Copy the random and urandom files from /dev to /usr/chroot/apache/dev, which httpd uses to generate random keys.
# cp -a /dev/urandom /dev/random /usr/chroot/apache/dev
- As shown below, create a modified systemd Unit file for HTTPD and save it to /etc/systemd/system/httpd.service.
# more /etc/systemd/system/httpd.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=forking
EnvironmentFile=/usr/chroot/apache/etc/sysconfig/httpd
ExecStart=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k start
ExecReload=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k graceful
ExecStop=/usr/sbin/chroot /usr/chroot/apache /usr/sbin/httpd -k stop
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target
- Execute the following instructions to enable Apache to start automatically at boot time and then restart Apache.
# systemctl enable httpd
# systemctl start httpd
# systemctl status httpd