In the last issue we had discussed about CGI and Fast CGL which allow the Apache daemon to run scripts such as Python or Perl on the web server. This can prove to be dangerous as somebody can access (even unintentionally) the file system of the OS on which Apache resides and make, changes to it. He can delete files knowingly or unknowingly. or even corrupt them. which can increase thedowntimeof yourwebserver.Ir we re¬strict Apache from accessing the whole file system. then the problem is solved. Chroot is one such option that allows you to restrict the file system and limit Apache's access. It helps in changing the directory st'ructure of your file system: in other words in shifting the base directory from one location to another. In other words. it can folk the existing file system. similar to the solaris container.

But yes the implementation process is a bit complicated. You first require some extra library files and if you plan to run a scripting language like Python. then one needs tocopy all necessary files and binaries to the base directory.

In this article, we will discuss how you can create a restricted zone for Apache and safeguard your file system. For this we need to create a folder. called Jail. which will be the base directory for Apache. We used Fedora 10.

Creating Jail
Jail contains a smaller version of the existing file system. virtually resembling a full file system for Apache. For creating Jail. first create a folder named 'jail' which will contain exactly the same directory tree as httpd directory. Now, execute the following commands for creating the required tree:

Name: Harden Secure Apache Web server security.jpg Views: 447 Size: 51.7 KB

After you have created the directory structure inside the jail directory, set proper permissions for all folders. so that they can be modified only by the root user As we have put Apache inside 'Jail' directory.the root directory for Apache will be 'jail.' So. it will not be able to access the null device (which handles the unwanted output stream for Apache) and we need to make it available. Also, copy the file configuration, cgi-bin and httpd directories to the Jail folder. For creating the null device and copying the necessary files. execute the following commands with proper permissions:

Now find out the files that are linked to such shared libraries with Apache. For this run the following command on Fedora:

After you find out the files that are shared with Apache, copy them inside the lib directory of httpd which resides inside the jail directory. For doing so, run the following command:

As discussed earlier, you need some extra libraries. Execute the following commands to copy the extra libraries: