The first step of securing the server is to prepare a chrooted environment for the Apache server with PHP module.
At this point, we should perform all the steps described in the “Chrooting the server” section of the previous article. In addition, before running Apache in chrooted environment for first time, we must also copy the following libraries (they are needed in order for PHP to run properly):
cp /usr/local/mysql/lib/mysql/libmysqlclient.so.12 /chroot/httpd/usr/lib/
cp /usr/lib/libm.so.2 /chroot/httpd/usr/lib/
cp /usr/lib/libz.so.2 /chroot/httpd/usr/lib/
Additionally, we have to copy the PHP default configuration file:
umask 022
mkdir -p /chroot/httpd/usr/local/lib
cp /usr/local/lib/php.ini /chroot/httpd/usr/local/lib/
and create a /chroot/httpd/tmp directory. The directory owner must be root, and access rights should be set to 1777. After creating the new environment we should test, if Apache runs correctly:
chroot /chroot/httpd /usr/local/apache/bin/httpd
Before we begin to configure PHP we must also take care of one more very important detail – communication between PHP and MySQL. Because PHP communicates locally with MySQL by using the /tmp/mysql.sock socket, placing PHP in the chrooted environment means that they cannot communicate with each other. To solve that problem, each time we run MySQL we must create hard link to the Apache chrooted environment:
ln /tmp/mysql.sock /chroot/httpd/tmp/
Note that in order to make communication between PHP and MySQL possible, the “/tmp/mysql.sock” socket and the “/chroot/httpd/tmp” directory must be physically placed on the same filesystem (hard links don’t work between filesystems).
Tags:accesses, apache, apache server, chroot, community, configuration, configure, Copy, create, directory, httpd, lib, mysql, possibilities, roots, secure, Security, servers
you can also grab the RSS feed or Subscribe to Techgurulive by Email
