CentOS / Redhat Enterprise Linux Setup Lighttpd in Chroot Jail

last updated in Categories CentOS, File system, Howto, lighttpd, MySQL, php, RedHat/Fedora Linux, Security

Many people asked me to write about setting up Lighttpd under CentOS or RHEL 5 Linux using chroot() call. The instructions are almost same but you need to make little modification as compare to Debian / Ubuntu Linux instructions.


For example purpose we will build jail at /webroot location.
=> Default document root : /home/lighttpd/default/
=> Port : 80
=> IP: Your Public IP address
=> Virtual domain1: /home/lighttpd/vdomain1.com/
=> Virtual domain1 access log file: /var/log/lighttpd/vomain1.com/
=> Default access log file:/var/log/lighttpd/access.log
=> Default error log file:/var/log/lighttpd/error.log
=> Default php error log file: /var/log/lighttpd/php.log

Assumptions

These installation instructions assume you have:

  • Linux distribution
  • Required RPMs (see below for installation instructions)
    • php, php-pear, php-common, php-pdo, php-ldap, php-gd, php-cli, php-mysql
    • mysql, mysql-server etc
    • lighttpd, lighttpd-fastcgi (rpm available here)
  • Installations were tested on Red Hat Enterprise Linux v4/5 or CentOS v4/5 or Fedora Linux 7

Step # 1: Install required packages

Install php and related packages:
# yum install php php-pear php-common php-pdo php-ldap php-gd php-cli php-mysql
Install mysql and related packages:
# yum install mysql mysql-server
Install lighttpd and mod_fastcgi for lighttpd:
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-1.4.18-1.el5.rf.i386.rpm
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-fastcgi-1.4.18-1.el5.rf.i386.rpm

Step # 2: Create /webroot and related directories

# mkdir /webroot
# cd /webroot
# mkdir etc
# mkdir tmp
# chmod 1777 tmp/
# mkdir -p usr/bin
# mkdir -p home/lighttpd/default
# mkdir -p var/run/lighttpd
# mkdir -p var/log/lighttpd
# chown lighttpd:lighttpd var/run/lighttpd/
# chown lighttpd:lighttpd var/log/lighttpd/
# chown -R lighttpd:lighttpd home/

Step # 3: Install chroot script

You need to download and install my script that will help you to build lighttpd in jail:
# cd /sbin/
# wget http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# mv l2chroot.txt l2chroot
# chmod +x l2chroot

Step # 4: Install php in jail

Now copy php-cgi binary and related shared libraries using l2chroot script:
# cd /webroot/usr/bin
# cp /usr/bin/php-cgi .
# l2chroot php-cgi

Step # 5: Copy required files to /etc

Now you must copy php.ini and related all files to /etc/
# cd /webroot/etc
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/nsswitch.conf .
# cp /etc/resolv.conf .
# cp /etc/php.ini .
# cp -avr /etc/php.d/ .
# cp -avr /etc/ld* .
Update (Oct-1-2008, 1:52pm) : You need to copy entire /etc/ and /usr/share/zoneinfo files to work with latest php version:
# cd /webroot/etc
# /bin/cp -avr /etc/* .
Copy all files from /usr/share/zoneinfo/:
# mkdir -p /webroot/usr/share/
# cd /webroot/usr/share/
# cp -avr /usr/share/zoneinfo/ .

Open group and passwd file and only keep entries for root and lighttpd user:
# vi /webroot/etc/group
Make sure file look as follows:
root:x:0:root
lighttpd:x:101:
Also open passwd file inside jail:
# vi /webroot/etc/passwd
Make sure file look as follows:
root:x:0:0:root:/root:/bin/bash
lighttpd:x:100:101:lighttpd web server:/srv/www/lighttpd:/sbin/nologin

Step # 5: Copy php modules

Now copy php mysql support, php gd and other all modules:
# cd /webroot/usr/lib/
# cp -avr /usr/lib/php/ .
# cd php/modules
# for l in *.so; do l2chroot $l; done

Step # 6: Configure lighttpd chroot call

Open /etc/lighttpd/lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Setup default document root and chroot directory:
server.document-root = "/home/lighttpd/default/"
server.chroot="/webroot"
Save and close the file.

Step # 7: Restart lighttpd

Type the following command:
# /etc/init.d/lighttpd restart

Jail size

# du -ch /webroot/
Output:

12K     /webroot/var/log/lighttpd
16K     /webroot/var/log
4.0K    /webroot/var/run/lighttpd
8.0K    /webroot/var/run
28K     /webroot/var
8.0K    /webroot/etc/ld.so.conf.d
36K     /webroot/etc/php.d
160K    /webroot/etc
8.0K    /webroot/home/lighttpd/default
12K     /webroot/home/lighttpd
16K     /webroot/home
5.3M    /webroot/lib
4.0K    /webroot/tmp
872K    /webroot/usr/lib/sse2
1.4M    /webroot/usr/lib/mysql
676K    /webroot/usr/lib/php/modules
4.0K    /webroot/usr/lib/php/pear
684K    /webroot/usr/lib/php
9.9M    /webroot/usr/lib
2.9M    /webroot/usr/bin
13M     /webroot/usr
19M     /webroot/
19M     total

Troubleshooting

Always go thought /var/log/messages and server log files:
# tail -f /var/log/messages

Download mysql testing script

Copy and test php mysql connectivity with this script.

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

10 comment

  1. Hmm do I have to copy my website files from the old /var/www/docroot to the new /chroot/var/www/docroot

    ? If I let my files to the /var/www/docroot i get 404, if I move them to /chroot/var/www/docroot, lighttpd displays “No input files specified” and if I place them to both location in same time looks like working :/ crazy problem.

    And I have another behaviour, can’t stop services as explained here: http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html#comment-142040

  2. error message Starting lighttpd: 2008-07-21 08:51:44: (configfile.c.1136) base-docroot doesn’t exist: /home/lighttpd/default/

    fix:
    vi /etc/lighttpd/lighttpd.conf
    server.document-root = “/home/lighttpd/default/”

    needs to be;
    server.document-root = “home/lighttpd/default/”

  3. I needed to copy the /lib/libnss_dns.so.2 to my chroot “/lib” directory becouse the php-cgi wasn’t able to resolve names in fsockopen/fopen/etc.

    (php_network_getaddresses: getaddrinfo failed)

    Thanks!

    []s, MM

  5. @ alex

    No, I don’t. yum command is used to install mysql-server. However, customization setting up mysql root password, database, accounts is not covered as those are site specific config options.

  6. If you are using lua and mod_magnet you have to follow this step:

    # cd /webroot/usr/bin
    # cp /usr/bin/lua .
    # l2chroot lua

  7. Starting lighttpd: 2010-02-21 01:36:28: (configfile.c.1178) base-docroot doesn’t exist: /webroot/home/lighttpd/default/
    2010-02-21 01:36:28: (server.c.584) setting default values failed
    [FAILED]

    Followed the tutorial to the T, and I don’t see where this directory is created. I tried to create this directory myself:

    mkdir /webroot/home/lighttpd/default
    mkdir: cannot create directory `/webroot/home/lighttpd/default’: File exists

    So does this directory exist or what? If it exists, than what’s the problem with lighttpd?

  9. Step # 4: Install php in jail

    I’m getting an error “cannot stat `/lib64/libsepol.so.1)’: No such file or directory”
    and file is there.

  10. Hi,

    thanks. the jail works perfectly. php pages communicates successfully with mysql server. But just phpmyadmin loads a white page.

    My issue is phpmyadmin that doesn’t work in the jail.
    I don’t know why?. I debug it with strace and copied all of the required libraries to the jail.
    please give me a clue?

    My test environment is as follows:
    CentOs -latest version
    httpd- latest version
    mysql- latest version
    php- latest version
    phpmyadmin- latest version

    regards,
    Ali Aghabagheri

    Have a question? Post it on our forum!