Chrooting Apache/PHP/MySQL in FreeBSD

NetRyder

NetRyder

Tech Junkie
Joined
19 Apr 2002
Messages
13,256
Alright, so I'm taking over the administration of two servers from a member of our team who graduated. They're currently running Debian, but since I'm going for a fresh start on one of them, I'm planning to use FreeBSD this time around (if things go as planned).

This machine will be used as a webserver, among other things. I was wondering how many BSD users here chroot their Apache/PHP/MySQL installations for security purposes. Have you run into any troubles after doing so? How about maintenance - do you need to go through the same process again after a portupgrade, or does everything just go in its correct place?

Would appreciate any input on this topic, along with any other general suggestions and recommendations that you might have. Thanks. :)
 
I wouldn't be too concerned about jailing Apache/PHP/MySQL unless you do not plan on keeping the installed ports up-to-date. It is a fairly big hassle to copy everything into the jail environment, and yes you would have to do it everytime it is upgraded. Apache and MySQL run as the users www and mysql respectively, even if they are compromised, the damage is limited to files owned by www and mysql, eventhough there could be privelege escalation vulnerabilities, they are rare.
 
Yeah, that's what I figured. Didn't seem like it was worth the hassle...I just noticed that there are people who do this, so I thought I'd get some opinions here.
Thanks for your input, Joe. :)
 
chrooting apache/mysql is for the overly paranoid. If you want I can send over a sysctl.conf that'll make your box a lean mean freebsd fighting machine and save you some trouble to boot :D
 
LordOfLA said:
If you want I can send over a sysctl.conf that'll make your box a lean mean freebsd fighting machine and save you some trouble to boot :D
Click to expand...
That would be awesome. Email it to my username at osnn dot net, please. Thanks. :)
 
...and received. ;)
Will be wiping the drive and doing the initial set up when I get back from work tomorrow evening. I only hope I don't run into any hardware-detection/driver problems...hate to deal with those. It's a Dell PowerEdge 1400SC box, if that makes any difference.

Wish me luck. :)
 
we got it running nicely on 420SC's, 1800's (sata and scsi variants) and a range of 1u rackmounts. Dell works with pretty much everything these days. I've yet to try darwin on one though... could be fun :p Must convince the boss one day :D
 
Lovely. Went in and set up the base system last night. Everything running perfectly. Will be getting the rest done from home over SSH this weekend.
 
some useful ports to install residie in sysutils/portupgrade and sysutils/portaudit misc/mc editors/vim editoris/nano add sendmail_enable="none" to /etc/rc.conf too :D
 
Do yourself a favor as well. Head over to freshports.org, get an account, add all your ports to your watchlist and get an email when a port is updated. Keep yerself up to date with the latest. Also, make it a habit, to at least check the advisories on http://freebsd.org/ at least once a week, and hang out on #freebsdhelp on Efnet if you want to have it easily seen that there is a new very important update by looking at the topic.

Also, keep tabs on the last patchlevel by reading advisories, or at least updating to the latest RELENG every so often, of what ever version you plan to use. I suggest 5.x

And do yourself a favor, and use ports for everything. Or to qoute #freebsdhelp:

"Use ports, or a 300 lb geek will sit on you after 96 hour coding frenzy"

BTW, chrooting mysql/www is useless, and won't help secure much, breaking out of a chroot is getting easier, as more and more problems are found with the way it secures every so often, what it is being abused for is not what it was designed for in the first place. As for jailling the services, you could do it, but i'd call you crazy.

Enjoy your FreeBSD days. If you need any help, post here off course!

Lord: Do me a favor, and send me your rc.conf/sysctl.conf so that i can tweak my servers.
 
Thanks for the tips, X. I already subscribed to the advisories RSS feed last night after everything was set up. The FreshPorts tip is a nice one...I'll do that when I get home today. Ports all the way, of course. And yes, I gave up the idea of chrooting a while ago...wasn't too keen on doing it in the first place. :)

Thanks again folks. More fun this weekend.
 
Actually FreeBSD 6 has been in code freeze since June 10 and gets is RELENG_6 branch on sunday, I have 2 machines running it now problem free, the in-place source upgrade from 5 went as nicely as upgradeing inside the 5.x branch.

so 2 more machines will be getting freebsd 6 soon, and I'll try and throw it at the coreix dns server sometime next week :)
 
BTW, the solaris 10 thread kicked my brain into gear:

Its a good idea to put NO_X = True and WITHOUT_X11=yes into /etc/make.conf on a FreeBSD server.
 
oh and something else. A collegue of mine here at coreix pointed out devel/strace the otherday. Its awesome at helping you find the cause of segfaults :D
 
I use strace all the time, on 5.x systems you need to mount /procfs though, which is a security risk, and has been disabled by default. So mount procfs, and then turn it off again when done.

6.x is where i am going to go asap as well. More finegrained control over locking, meaning more speed should come out of the system.
 
LordOfLA said:
news to me, I dont think I've ever had procfs not mounted...
Click to expand...

4.x it is enabled as it is needed for ps and other tools. For 5.x and 6.x it is disabled as it could lead to security problems. I remember reading in updating. Here is a snippet from http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html for another interesting.


The process file system. This is a “pretend” file system mounted on /proc which allows programs like ps(1) to give you more information on what processes are running. In FreeBSD 5.X and above, use of PROCFS is not required under most circumstances, as most debugging and monitoring tools have been adapted to run without PROCFS: unlike in FreeBSD 4.X, new installations of FreeBSD 5.X will not mount the process file system by default. In addition, 6.X-CURRENT kernels making use of PROCFS must now also include support for PSEUDOFS:
Click to expand...
 
my list of useful ports,
editors/nano
misc/screen
net/cvsup-without-gui
ftp/wget
security/sudo
security/chkrootkit

screen I find particularly useful when rebuilding world and kernels
screen -L make buildworld
the -L switch means it dumps all of the output into screenlog.0 in the same directory so if you come back much later and screen has terminated you can still check to see if everything went right http://geffy.co.uk/archives/000162.php for some information on other compilation options. You might also want to take a look at http://geffy.co.uk/audit_auth for checking through your auth logs.
 
You must log in or register to reply here.

Members online

Total: 321 (members: 1, guests: 320)

Latest forum posts

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,495
Members
5,625
Latest member
vinit
Back