Weiter Zurück [Inhalt] Online Suche im Handbuch LITTLE-IDIOT NETWORKING

22.9 Kurzeinführung CHROOT() für WWW-Server

Besonders wichtig ist es stets, WWW-Server, SQL Datenbanken, FTP-Server... so abzusichern, daß ein Angreifer im Falle eines Einbruchs möglichst wenig Rechte erhält, und in einem Unterverzeichnis gefangengehalten wird. Es ist selbstverständlich, daß die Dämonen mit möglichst wenig Rechten gestartet werden. Der Start eines Dämons in einer CHROOT() Umgebung sollte eigendlich selbstverständlich sein. Viele kommerzielle Server, wie z.B. der Netscape Enterprise Server, ROXEN Challenger und viele FTP Dämomen unterstützen diese Funktionalität von Hause aus, sind aber in vielen Fällen nicht automatisch aktiviert. Schauen Sie bitte zuerst im Handbuch nach, bevor Sie dieser Installationsanleitung folgen. Sie ist allgemeingültig auf alle Dämomen unter UNIX anwendbar und erhöht die Sicherheit eines Server enorm, ohne sich negativ auf die Performance auszuwirken. Sie sollten, nachdem Sie diese Übung hier absolviert haben, alle Serverdämomen unter UNIX so absichern.

Every effort has been made on the part of the NCSA HTTPd Development Team to
ensure a high level of security from break-ins through HTTPd. Occasionally,
however, we miss one. For this reason, the server processes which handle
outside connections are setuid to another user, such as nobody, who should
have no permissions on the machine. This can be set using the User
For some, this might not be enough. There is something more that you can do,
however. Most systems have available a command line chroot command. This
command allows the system administrator (its usually restricted to the root
user) to force a program to run under a subset of the file system, without
allowing access from it to any other parts of the file system. This is
usually how anonymous ftp is handled, and more information about running
programs chroot can be gleaned from manpages and such which correspond to
setting up anonymous ftp. 

The general form of the command is:
chroot directory command 

Where directory is the new root directory and command is the command to run
under that directory. 

For example:
chroot /www httpd 

In this example, /www will become the new / directory, and anything not
under /www will not be accessible. 

There are some difficulties associated with this, however. Anything you want
to server/run/etc. needs to be in /www. This also means that if HTTPd is
linked with shared libraries, the shared libraries have to be available
under /www. Any cgi Skripts must be under /www, as well as the interpreters
(sh,perl,etc) needed to run them. Any shared libraries for the cgi Skripts
need to be in /www. The document tree, the server root, the logfiles, the
user directories (and a copy of /etc/passwd in /www/etc/passwd if you want
to have /~username/ paths). You don't want to have the passwords in the
/www/etc/passwd file, and you could fake a different user directory in it
for /~username/ paths that is under the /www directory. 

Denice Deatrich of CERN set his server up in a chroot environment. He wrote
a step by step guide available here 


This is a non-trivial thing to setup, and it is unlikely to be necessary.
We will provide only minimal support for setting up a chroot server, as we
don't use this locally. 


Using the following directory tree: 


Where /www will be the new root directory. 
Into /www/lib you will need to copy at least the shared c library (libc.so,
libc.sa, libc.a, libc.sl, or ..., depending on the system). Other libraries
may be necessary depending on the system and what other binaries you want to

In /www/bin, you will need copies of sh, perl, tclsh, etc. If you have any
gateways such as archie, uptime, date, finger, ph, copies of these programs
will also have to be in in /www/bin. 

/www/docs is your document root, but in the srm.conf file, it will be set to
/docs (which is the directory after the chroot command). 

/www/etc might need a copy of /etc/passwd and /etc/group. Make sure there
are no passwords in this file (on most systems, this is the second field of
the colon separated fields). Some systems require an entry for the uid of
the user HTTPd will setuid to, so that entry would be the minimum for the
passwd file (and group as well). If you intend to provide /~username/ URLs,
you must have a valid directory entry as well, which must be under /www but
without the /www part. Here is a sample /www/etc/passwd file: 

httpd:*:25:607:NCSA HTTPd Tech Support:/home/httpd:/bin/false
blong:*:524:1:Brandon Long:/home/blong:/bin/false

/www/conf will contain all of the configuration files for HTTPd, and
/www/cgi-bin, /www/logs, /www/icons contain what you would expect. All of
the configuration parameters which point to an absolute directory must
assume that /www = / 

Weiter Zurück [Inhalt] Online Suche im Handbuch LITTLE-IDIOT NETWORKING