CentOS / Redhat Enterprise Linux Setup Lighttpd in Chroot Jail

by on November 2, 2007 · 10 comments· LAST UPDATED October 1, 2008

in , ,

Many people asked me to write about setting up Lighttpd under CentOS or RHEL 5 Linux using chroot() call. The instructions are almost same but you need to make little modification as compare to Debian / Ubuntu Linux instructions.

For example purpose we will build jail at /webroot location.
=> Default document root : /home/lighttpd/default/
=> Port : 80
=> IP: Your Public IP address
=> Virtual domain1: /home/lighttpd/vdomain1.com/
=> Virtual domain1 access log file: /var/log/lighttpd/vomain1.com/
=> Default access log file:/var/log/lighttpd/access.log
=> Default error log file:/var/log/lighttpd/error.log
=> Default php error log file: /var/log/lighttpd/php.log

Assumptions

These installation instructions assume you have:

  • Linux distribution
  • Required RPMs (see below for installation instructions)
    • php, php-pear, php-common, php-pdo, php-ldap, php-gd, php-cli, php-mysql
    • mysql, mysql-server etc
    • lighttpd, lighttpd-fastcgi (rpm available here)
  • Installations were tested on Red Hat Enterprise Linux v4/5 or CentOS v4/5 or Fedora Linux 7

Step # 1: Install required packages

Install php and related packages:
# yum install php php-pear php-common php-pdo php-ldap php-gd php-cli php-mysql
Install mysql and related packages:
# yum install mysql mysql-server
Install lighttpd and mod_fastcgi for lighttpd:
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-1.4.18-1.el5.rf.i386.rpm
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-fastcgi-1.4.18-1.el5.rf.i386.rpm

Step # 2: Create /webroot and related directories

# mkdir /webroot
# cd /webroot
# mkdir etc
# mkdir tmp
# chmod 1777 tmp/
# mkdir -p usr/bin
# mkdir -p home/lighttpd/default
# mkdir -p var/run/lighttpd
# mkdir -p var/log/lighttpd
# chown lighttpd:lighttpd var/run/lighttpd/
# chown lighttpd:lighttpd var/log/lighttpd/
# chown -R lighttpd:lighttpd home/

Step # 3: Install chroot script

You need to download and install my script that will help you to build lighttpd in jail:
# cd /sbin/
# wget http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# mv l2chroot.txt l2chroot
# chmod +x l2chroot

Step # 4: Install php in jail

Now copy php-cgi binary and related shared libraries using l2chroot script:
# cd /webroot/usr/bin
# cp /usr/bin/php-cgi .
# l2chroot php-cgi

Step # 5: Copy required files to /etc

Now you must copy php.ini and related all files to /etc/
# cd /webroot/etc
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/nsswitch.conf .
# cp /etc/resolv.conf .
# cp /etc/php.ini .
# cp -avr /etc/php.d/ .
# cp -avr /etc/ld* .

Update (Oct-1-2008, 1:52pm) : You need to copy entire /etc/ and /usr/share/zoneinfo files to work with latest php version:
# cd /webroot/etc
# /bin/cp -avr /etc/* .

Copy all files from /usr/share/zoneinfo/:
# mkdir -p /webroot/usr/share/
# cd /webroot/usr/share/
# cp -avr /usr/share/zoneinfo/ .

Open group and passwd file and only keep entries for root and lighttpd user:
# vi /webroot/etc/group
Make sure file look as follows:
root:x:0:root
lighttpd:x:101:

Also open passwd file inside jail:
# vi /webroot/etc/passwd
Make sure file look as follows:
root:x:0:0:root:/root:/bin/bash
lighttpd:x:100:101:lighttpd web server:/srv/www/lighttpd:/sbin/nologin

Step # 5: Copy php modules

Now copy php mysql support, php gd and other all modules:
# cd /webroot/usr/lib/
# cp -avr /usr/lib/php/ .
# cd php/modules
# for l in *.so; do l2chroot $l; done

Step # 6: Configure lighttpd chroot call

Open /etc/lighttpd/lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Setup default document root and chroot directory:
server.document-root = "/home/lighttpd/default/"
server.chroot="/webroot"

Save and close the file.

Step # 7: Restart lighttpd

Type the following command:
# /etc/init.d/lighttpd restart

Jail size

# du -ch /webroot/
Output:

12K     /webroot/var/log/lighttpd
16K     /webroot/var/log
4.0K    /webroot/var/run/lighttpd
8.0K    /webroot/var/run
28K     /webroot/var
8.0K    /webroot/etc/ld.so.conf.d
36K     /webroot/etc/php.d
160K    /webroot/etc
8.0K    /webroot/home/lighttpd/default
12K     /webroot/home/lighttpd
16K     /webroot/home
5.3M    /webroot/lib
4.0K    /webroot/tmp
872K    /webroot/usr/lib/sse2
1.4M    /webroot/usr/lib/mysql
676K    /webroot/usr/lib/php/modules
4.0K    /webroot/usr/lib/php/pear
684K    /webroot/usr/lib/php
9.9M    /webroot/usr/lib
2.9M    /webroot/usr/bin
13M     /webroot/usr
19M     /webroot/
19M     total

Troubleshooting

Always go thought /var/log/messages and server log files:
# tail -f /var/log/messages

Download mysql testing script

Copy and test php mysql connectivity with this script.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

1 Arnaud D December 3, 2007 at 1:32 pm

Hmm do I have to copy my website files from the old /var/www/docroot to the new /chroot/var/www/docroot

? If I let my files to the /var/www/docroot i get 404, if I move them to /chroot/var/www/docroot, lighttpd displays “No input files specified” and if I place them to both location in same time looks like working :/ crazy problem.

And I have another behaviour, can’t stop services as explained here: http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html#comment-142040

2 Nitz July 21, 2008 at 8:57 am

error message Starting lighttpd: 2008-07-21 08:51:44: (configfile.c.1136) base-docroot doesn’t exist: /home/lighttpd/default/

fix:
vi /etc/lighttpd/lighttpd.conf
server.document-root = “/home/lighttpd/default/”

needs to be;
server.document-root = “home/lighttpd/default/”

3 MM October 2, 2008 at 3:05 am

I needed to copy the /lib/libnss_dns.so.2 to my chroot “/lib” directory becouse the php-cgi wasn’t able to resolve names in fsockopen/fopen/etc.

(php_network_getaddresses: getaddrinfo failed)

Thanks!

[]s, MM

4 alex June 15, 2009 at 11:25 am

Hey, you’ve missed the “how to setup mysql” instructions, and mysql wont work…

5 nixCraft June 15, 2009 at 1:15 pm

@ alex

No, I don’t. yum command is used to install mysql-server. However, customization setting up mysql root password, database, accounts is not covered as those are site specific config options.

6 Alexandre Haguiar June 28, 2009 at 1:20 pm

If you are using lua and mod_magnet you have to follow this step:

# cd /webroot/usr/bin
# cp /usr/bin/lua .
# l2chroot lua

7 Steve Zip February 21, 2010 at 6:48 am

Starting lighttpd: 2010-02-21 01:36:28: (configfile.c.1178) base-docroot doesn’t exist: /webroot/home/lighttpd/default/
2010-02-21 01:36:28: (server.c.584) setting default values failed
[FAILED]

Followed the tutorial to the T, and I don’t see where this directory is created. I tried to create this directory myself:

mkdir /webroot/home/lighttpd/default
mkdir: cannot create directory `/webroot/home/lighttpd/default’: File exists

So does this directory exist or what? If it exists, than what’s the problem with lighttpd?

8 James Shailes March 18, 2010 at 11:14 pm

Same problem as Steve, I’ll keep you posted if I find a fix.

9 Miki November 21, 2010 at 1:28 pm

Step # 4: Install php in jail

I’m getting an error “cannot stat `/lib64/libsepol.so.1)’: No such file or directory”
and file is there.

10 Ali Aghabagheri November 24, 2011 at 1:35 pm

Hi,

thanks. the jail works perfectly. php pages communicates successfully with mysql server. But just phpmyadmin loads a white page.

My issue is phpmyadmin that doesn’t work in the jail.
I don’t know why?. I debug it with strace and copied all of the required libraries to the jail.
please give me a clue?

My test environment is as follows:
CentOs -latest version
httpd- latest version
mysql- latest version
php- latest version
phpmyadmin- latest version

regards,
Ali Aghabagheri

Comments on this FAQ are closed. If you'd like to continue the discussion on this topic, you can do so at our forum.

Tagged as: , , , , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: