How to install Linux Server, DevOps, Ansible

How to Chroot Jail Apache in Linux

Share on Social Media

Discover how to Chroot Jail Apache in Linux with our comprehensive guide. Enhance your web server security by isolating Apache processes from the rest of the system. #centlinux #linux #apache

What is Chroot Jail?

In Linux, Chroot is an operation to change the apparent root directory i.e. / for a running process and their child processes. The process running in Chroot can not access the files and commands outside that environmental directory tree. This modified environment is called a Chroot Jail.

A chroot environment is relatively difficult to set up than a traditional install, especially if we run other software like MySQL, PHP, Python, etc.

How to Chroot Jail Apache in Linux
How to Chroot Jail Apache in Linux

Why to Chroot Jail Apache?

By chrooting the Apache web server, we do not actually increase the security, rather we limit the access to files and commands by the httpd process and decreases the possible impact, when an Apache web server is compromised. Also potentially dangerous CGI scripts can only access the environmental root directory.

In this post, we will set up a chroot jail Apache Web Server in Linux, and create the systemd unit to auto-start the httpd service.

If you’re serious about mastering web hosting and server management, the Apache Web Server by Vipin Gupta online course is a perfect choice. This beginner-friendly yet comprehensive training will guide you through Apache installation, configuration, optimization, and troubleshooting—all the essential skills you need to confidently manage real-world server environments.

Whether you’re a student, system administrator, or developer, this course will give you practical knowledge that you can immediately apply in your projects or career. Enroll now through my affiliate link and start building your expertise in one of the world’s most popular web servers.

Disclaimer: This post contains affiliate links. If you purchase through these links, I may earn a small commission at no extra cost to you.

System Specification

We are using a Linux machine with following specification for this demonstration.

  • Hostname – webserver-01.example.com
  • IP Address – 192.168.116.61/24
  • Operating SystemRHEL 7.5

Chroot Jail Apache Web Server

Connect to our Linux machine using ssh and create the directory for setting up the chroot jail.

mkdir -p /chroot/httpd/

We have already configured the local yum repository on the machine. Please refer to my previous article Configure Local Yum Repository using ISO in Linux.

Now, we are installing Apache web server using yum, but in a non-default directory.

yum install -y httpd --installroot=/chroot/httpd

Above command will install the Apache Web Server and its dependencies in the /chroot/httpd. You may observe that, it installs many packages that were already installed on the default root /. These packages are reinstalled in /chroot/httpd for the sake of chroot jail setup.

Create some required devices for the chroot environment.

cd /chroot/httpd/dev
rm -f null
mknod /chroot/httpd/dev/null c 1 3
mknod /chroot/httpd/dev/random c 1 8
mknod /chroot/httpd/dev/urandom c 1 9
ls -al

Output:

total 0
drwxr-xr-x.  2 root root   47 Sep  2 19:26 .
dr-xr-xr-x. 17 root root  224 Sep  2 19:17 ..
crw-r--r--.  1 root root 1, 3 Sep  2 19:26 null
crw-r--r--.  1 root root 1, 8 Sep  2 19:26 random
crw-r--r--.  1 root root 1, 9 Sep  2 19:26 urandom

Add a default homepage for Apache web server.

cd /chroot/httpd/var/www/html/
cat >> index.html << EOF
<html>
<head><title>Test Page</title></head>
<body><h1>Apache Homepage from Chroot Jail.</h1></body>
</html>
EOF

Allow httpd service to communicate through Firewall.

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Configure systemd unit to autostart httpd service. First copy the required configuration files from chroot jail to host environment.

cp /chroot/httpd/etc/sysconfig/httpd /etc/sysconfig/
cp /chroot/httpd/usr/lib/systemd/system/httpd.service /usr/lib/systemd/system/

Now edit the httpd.service unit to start Apache in chrooted environment.

vi /usr/lib/systemd/system/httpd.service

Search and update the following three lines.

Type=simple
ExecStart=/sbin/chroot /chroot/httpd /usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/sbin/chroot /chroot/httpd /usr/sbin/httpd $OPTIONS -k graceful

For further clarification, the differences in files after editing are shown below.

diff /chroot/httpd/usr/lib/systemd/system/httpd.service /usr/lib/systemd/system/httpd.service

Output:

8c8
< Type=notify
---
> Type=simple
10,11c10,11
< ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
< ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
---
> ExecStart=/sbin/chroot /chroot/httpd /usr/sbin/httpd $OPTIONS -DFOREGROUND
> ExecReload=/sbin/chroot /chroot/httpd /usr/sbin/httpd $OPTIONS -k graceful

Start and enable httpd service.

systemctl daemon-reload
systemctl start httpd
systemctl enable httpd

Check root directory for running httpd service. First we obtain the PID of the httpd process and then check it’s root directory in the proc folder.

systemctl status httpd

Output:

â httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-09-02 20:18:23 PKT; 1min 16s ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 10620 (httpd)
   CGroup: /system.slice/httpd.service
           ââ10620 /usr/sbin/httpd -DFOREGROUND
           ââ10639 /usr/sbin/httpd -DFOREGROUND
           ââ10640 /usr/sbin/httpd -DFOREGROUND
           ââ10641 /usr/sbin/httpd -DFOREGROUND
           ââ10642 /usr/sbin/httpd -DFOREGROUND
           ââ10643 /usr/sbin/httpd -DFOREGROUND

Sep 02 20:18:23 webserver-01.example.com systemd[1]: Started The Apache HTTP ...
Sep 02 20:18:23 webserver-01.example.com systemd[1]: Starting The Apache HTTP...
Hint: Some lines were ellipsized, use -l to show in full.

Now find the root directory of the process by PID.

ls /proc/10620/root -al

Output:

lrwxrwxrwx. 1 root root 0 Sep  2 20:20 /proc/10620/root -> /chroot/httpd

Browse the URL http://webserver-01.example.com/ from a client’s browser to verify the httpd service.

Chroot Jail Apache Homepage
Chroot Jail Apache Homepage

We have successfully set up a chroot jail for our Apache Web Server in Linux.

Final Thoughts

Implementing a Chroot Jail for Apache in Linux can greatly improve your web server’s security by isolating its processes from the rest of the system. By following this guide, you can ensure a more secure and robust environment for your web applications.

Struggling with AWS or Linux server issues? I specialize in configuration, troubleshooting, and security to keep your systems performing at their best. Check out my Freelancer profile for details.

Looking for something?

Latest Articles

4 responses to “How to Chroot Jail Apache in Linux”

  1. Bill Hatcher Avatar
    Bill Hatcher

    One issue… when I tried the initial yum install, I got this error:

    Cannot find a valid baseurl for repo: base/$releasever/x86_64

    When using –installroot=, the variable $releasever isn't populated. The fix is to include –releasever=7 in the command:

    yum install -y httpd –releasever=7 –installroot=/chroot/httpd

    After that it worked perfectly. Thanks!

  2. Ahmer M Avatar
    Ahmer M

    Hi, its good that you resolve the issue by yourself. But the problem does not related to Chroot, rather it is caused due to the yum configuration. Please refer to Configure Local Yum Repository using ISO in RHEL 7

  3. Anonymous Avatar
    Anonymous

    Hello, thanks a lot, very useful !
    Can you tell how to use php in that configuration please ? Does it need to be installed in the jail ?
    Thanks a lot

  4. Ahmer M Avatar
    Ahmer M

    There are different ways to install PHP in chrooted environment. It depends upon the user requirement. But if you are following the above article, then it is better that you install PHP in the jail as well.

Leave a Reply