Many people asked me to write about setting up Lighttpd under CentOS or RHEL 5 Linux using chroot() call. The instructions are almost same but you need to make little modification as compare to Debian / Ubuntu Linux instructions.
For example purpose we will build jail at /webroot location.
=> Default document root : /home/lighttpd/default/
=> Port : 80
=> IP: Your Public IP address
=> Virtual domain1: /home/lighttpd/vdomain1.com/
=> Virtual domain1 access log file: /var/log/lighttpd/vomain1.com/
=> Default access log file:/var/log/lighttpd/access.log
=> Default error log file:/var/log/lighttpd/error.log
=> Default php error log file: /var/log/lighttpd/php.log
Assumptions
These installation instructions assume you have:
- Linux distribution
- Required RPMs (see below for installation instructions)
- php, php-pear, php-common, php-pdo, php-ldap, php-gd, php-cli, php-mysql
- mysql, mysql-server etc
- lighttpd, lighttpd-fastcgi (rpm available here)
- Installations were tested on Red Hat Enterprise Linux v4/5 or CentOS v4/5 or Fedora Linux 7
Step # 1: Install required packages
Install php and related packages:
# yum install php php-pear php-common php-pdo php-ldap php-gd php-cli php-mysql
Install mysql and related packages:
# yum install mysql mysql-server
Install lighttpd and mod_fastcgi for lighttpd:
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-1.4.18-1.el5.rf.i386.rpm
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-fastcgi-1.4.18-1.el5.rf.i386.rpm
Step # 2: Create /webroot and related directories
# mkdir /webroot
# cd /webroot
# mkdir etc
# mkdir tmp
# chmod 1777 tmp/
# mkdir -p usr/bin
# mkdir -p home/lighttpd/default
# mkdir -p var/run/lighttpd
# mkdir -p var/log/lighttpd
# chown lighttpd:lighttpd var/run/lighttpd/
# chown lighttpd:lighttpd var/log/lighttpd/
# chown -R lighttpd:lighttpd home/
Step # 3: Install chroot script
You need to download and install my script that will help you to build lighttpd in jail:
# cd /sbin/
# wget http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# mv l2chroot.txt l2chroot
# chmod +x l2chroot
Step # 4: Install php in jail
Now copy php-cgi binary and related shared libraries using l2chroot script:
# cd /webroot/usr/bin
# cp /usr/bin/php-cgi .
# l2chroot php-cgi
Step # 5: Copy required files to /etc
Now you must copy php.ini and related all files to /etc/
# cd /webroot/etc
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/nsswitch.conf .
# cp /etc/resolv.conf .
# cp /etc/php.ini .
# cp -avr /etc/php.d/ .
# cp -avr /etc/ld* .
Update (Oct-1-2008, 1:52pm) : You need to copy entire /etc/ and /usr/share/zoneinfo files to work with latest php version:
# cd /webroot/etc
# /bin/cp -avr /etc/* .
Copy all files from /usr/share/zoneinfo/:
# mkdir -p /webroot/usr/share/
# cd /webroot/usr/share/
# cp -avr /usr/share/zoneinfo/ .
Open group and passwd file and only keep entries for root and lighttpd user:
# vi /webroot/etc/group
Make sure file look as follows:
root:x:0:root
lighttpd:x:101:
Also open passwd file inside jail:
# vi /webroot/etc/passwd
Make sure file look as follows:
root:x:0:0:root:/root:/bin/bash
lighttpd:x:100:101:lighttpd web server:/srv/www/lighttpd:/sbin/nologin
Step # 5: Copy php modules
Now copy php mysql support, php gd and other all modules:
# cd /webroot/usr/lib/
# cp -avr /usr/lib/php/ .
# cd php/modules
# for l in *.so; do l2chroot $l; done
Step # 6: Configure lighttpd chroot call
Open /etc/lighttpd/lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Setup default document root and chroot directory:
server.document-root = "/home/lighttpd/default/"
server.chroot="/webroot"
Save and close the file.
Step # 7: Restart lighttpd
Type the following command:
# /etc/init.d/lighttpd restart
Jail size
# du -ch /webroot/
Output:
12K /webroot/var/log/lighttpd 16K /webroot/var/log 4.0K /webroot/var/run/lighttpd 8.0K /webroot/var/run 28K /webroot/var 8.0K /webroot/etc/ld.so.conf.d 36K /webroot/etc/php.d 160K /webroot/etc 8.0K /webroot/home/lighttpd/default 12K /webroot/home/lighttpd 16K /webroot/home 5.3M /webroot/lib 4.0K /webroot/tmp 872K /webroot/usr/lib/sse2 1.4M /webroot/usr/lib/mysql 676K /webroot/usr/lib/php/modules 4.0K /webroot/usr/lib/php/pear 684K /webroot/usr/lib/php 9.9M /webroot/usr/lib 2.9M /webroot/usr/bin 13M /webroot/usr 19M /webroot/ 19M total
Troubleshooting
Always go thought /var/log/messages and server log files:
# tail -f /var/log/messages
Download mysql testing script
Copy and test php mysql connectivity with this script.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 10 comments… read them below or add one }
Hmm do I have to copy my website files from the old /var/www/docroot to the new /chroot/var/www/docroot
? If I let my files to the /var/www/docroot i get 404, if I move them to /chroot/var/www/docroot, lighttpd displays “No input files specified” and if I place them to both location in same time looks like working :/ crazy problem.
And I have another behaviour, can’t stop services as explained here: http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html#comment-142040
error message Starting lighttpd: 2008-07-21 08:51:44: (configfile.c.1136) base-docroot doesn’t exist: /home/lighttpd/default/
fix:
vi /etc/lighttpd/lighttpd.conf
server.document-root = “/home/lighttpd/default/”
needs to be;
server.document-root = “home/lighttpd/default/”
I needed to copy the /lib/libnss_dns.so.2 to my chroot “/lib” directory becouse the php-cgi wasn’t able to resolve names in fsockopen/fopen/etc.
(php_network_getaddresses: getaddrinfo failed)
Thanks!
[]s, MM
Hey, you’ve missed the “how to setup mysql” instructions, and mysql wont work…
@ alex
No, I don’t. yum command is used to install mysql-server. However, customization setting up mysql root password, database, accounts is not covered as those are site specific config options.
If you are using lua and mod_magnet you have to follow this step:
# cd /webroot/usr/bin
# cp /usr/bin/lua .
# l2chroot lua
Starting lighttpd: 2010-02-21 01:36:28: (configfile.c.1178) base-docroot doesn’t exist: /webroot/home/lighttpd/default/
2010-02-21 01:36:28: (server.c.584) setting default values failed
[FAILED]
Followed the tutorial to the T, and I don’t see where this directory is created. I tried to create this directory myself:
mkdir /webroot/home/lighttpd/default
mkdir: cannot create directory `/webroot/home/lighttpd/default’: File exists
So does this directory exist or what? If it exists, than what’s the problem with lighttpd?
Same problem as Steve, I’ll keep you posted if I find a fix.
Step # 4: Install php in jail
I’m getting an error “cannot stat `/lib64/libsepol.so.1)’: No such file or directory”
and file is there.
Hi,
thanks. the jail works perfectly. php pages communicates successfully with mysql server. But just phpmyadmin loads a white page.
My issue is phpmyadmin that doesn’t work in the jail.
I don’t know why?. I debug it with strace and copied all of the required libraries to the jail.
please give me a clue?
My test environment is as follows:
CentOs -latest version
httpd- latest version
mysql- latest version
php- latest version
phpmyadmin- latest version
regards,
Ali Aghabagheri