CentOS 5.4使用Jailkit建立apache 的chroot环境

1.下载rpmforge-release-0.5.2-2.el6.rf.i686.rpm

i686 http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
x86_64 http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

2.安装DAG's GPG key

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

3.安装rpmforge-release-0.5.2-2.el6.rf.i686.rpm

rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm

4.安装Jailkit

yum install Jailkit

5.配置Jailkit 拷贝原始配置文件.

cd /etc/jailkit/
cp jk_init.ini  jk_init.ini.bak

编辑jk_init.ini:

vi jk_init.ini

在底部增加ldconfig:

[ldconfig]
paths = /sbin/ldconfig
regularfiles = /etc/ld.so.conf

找到[uidbasics].

[uidbasics]
# this section probably needs adjustment on 64bit systems
# or non-Linux systems
comment = common files for all jails that need user/group information
paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf

去掉 /etc/ld.so.conf增加下面一行:

includesections = ldconfig

找到[apache].

[apache]
comment = the apache webserver, very basic setup, probably too limited for you
paths = /usr/sbin/apache
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics

改为:

[apache]
comment = the apache webserver, very basic setup, probably too limited for you
paths = /usr/sbin/apachectl,/usr/sbin/httpd,/etc/php.ini,/etc/localtime
users = root, apache
groups = root, apache
regularfiles = /etc/mime.types
directories = /etc/httpd,/var/www/html, /var/lock/subsys, /var/log/httpd,/etc/php.d,/usr/share/zoneinfo,/var/lib/php/session
includesections = netbasics, uidbasicsi,editors, basicshell
devices =/dev/urandom, /dev/null

建立要chroot的apache目录.

mkdir /home/apache
chown root:root /home/apache
chmod 0755 /home/apache

在apache目录放置chroot环境需要的文件依赖.

jk_init -j /home/apache apache

启动apache:

apachectl start

中间会出现一些小问题,请根据实际把缺少的文件手动建立拷贝,如php.ini. 一个chroot环境建成. 2.配置apache 安装编译mod_chroot:

# wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
# tar -zxvf mod_chroot-0.5.tar.gz
# cd mod_chroot-0.5
# apxs -cia mod_chroot.c

修改 /etc/httpd/conf/httpd.conf:

PidFile run/httpd.pid

改为:

PidFile /var/run/httpd.pid

在后面增加:

ChrootDir /home/apache

在ServerRoot "/etc/httpd"后面增加:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard

加载chroot模块:

64 位:LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so
32 位:LoadModule chroot_module /usr/lib/httpd/modules/mod_chroot.so

修改 /etc/init.d/httpd:

vi /etc/init.d/httpd

在HTTPD_LANG=${HTTPD_LANG-"C"}后增加:

ROOT=/home/apache

找到:

stop(){
    echo -n $"Stopping $prog: "
    killproc -d 10$httpd
    RETVAL=$?
    echo
    [$RETVAL = 0] && rm -f ${lockfile}${pidfile}
}

修改为:

stop(){
    /bin/ln -s $ROOT/var/run/httpd.pid /var/run/httpd.pid
    echo -n $"Stopping $prog: "
    killproc -d 10$httpd
    RETVAL=$?
    echo
    [$RETVAL = 0] && rm -f ${lockfile}${pidfile}
}

保存,重启.

service httpd restart.

可看到:

[Thu Jan 27 20:56:39 2011] [notice] core dump file size limit raised to 4294967295 bytes
[Thu Jan 27 20:56:39 2011] [notice] SELinux policy enabled; httpd running as context root:system_r:httpd_t
[Thu Jan 27 20:56:39 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Jan 27 20:56:39 2011] [notice] Digest: generating secret for digest authentication ...
[Thu Jan 27 20:56:39 2011] [notice] Digest: done
[Thu Jan 27 20:56:39 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Thu Jan 27 20:56:39 2011] [notice] mod_chroot: changed root to /home/apache.
[Thu Jan 27 20:56:39 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

到此OK了. 有关session启动,请检测目录权限.

chown -R apache:apache session/

注意:数据库连接时localhost要改成127.0.0.1.