Chrooting Apache 2.4 on Debian Jessie with mod_security

Question

I have been advised to chroot my apache2 installation to better secure the sensitive content on the rest of the server. I have installed and setup mod_security properly and can see in the logs that it is chrooting apache2 properly, but systemctl is having problems verifying that the service is running. When I run:

service apache2 start

it hangs for 20 seconds and then reports as failed:

The apache2 instance did not start within 20 seconds. Please read the log files to discover problems ... (warning).

but if I check the processes, I can see that various apache2 services are running. If I try accessing my website, I get a 403 Forbidden error. Here is my grep'ed /etc/apache2/apache2.conf:

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
SecChrootDir /var/www
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>
<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
ServerName localhost

and this is my /etc/apache2/sites-enabled/site.com.conf:

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<Directory /var/www>
  AllowOverride None
  Require all granted
</Directory>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Some recent /var/log/apache2/error.log:

[Mon Feb 22 00:26:02.746084 2016] [mpm_prefork:notice] [pid 2766] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:26:27.000946 2016] [:notice] [pid 2978] ModSecurity: chroot checkpoint #1 (pid=2978 ppid=2975)
[Mon Feb 22 00:26:27.001010 2016] [:notice] [pid 2978] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:26:27.001016 2016] [:notice] [pid 2978] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:26:27.001022 2016] [:notice] [pid 2978] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:26:27.001028 2016] [:notice] [pid 2978] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:26:27.001032 2016] [:notice] [pid 2978] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:26:27.001068 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:26:27.223832 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:26:28.000065 2016] [:notice] [pid 2979] ModSecurity: chroot checkpoint #2 (pid=2979 ppid=1)
[Mon Feb 22 00:26:28.000103 2016] [:notice] [pid 2979] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:26:28.003129 2016] [mpm_prefork:notice] [pid 2979] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:26:28.003162 2016] [core:notice] [pid 2979] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:26:51.576466 2016] [authz_core:error] [pid 2983] [client 65.29.162.224:50484] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.093394 2016] [authz_core:error] [pid 2984] [client 80.65.51.221:5624] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.108471 2016] [authz_core:error] [pid 2985] [client 80.65.51.221:10799] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.137950 2016] [authz_core:error] [pid 2986] [client 80.65.51.221:64057] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:28:48.924836 2016] [authz_core:error] [pid 2987] [client 150.70.173.47:53051] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:48.875421 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:49.977038 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:34:06.848570 2016] [mpm_prefork:notice] [pid 2979] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:34:28.000025 2016] [:notice] [pid 3821] ModSecurity: chroot checkpoint #1 (pid=3821 ppid=3818)
[Mon Feb 22 00:34:28.000106 2016] [:notice] [pid 3821] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:34:28.000112 2016] [:notice] [pid 3821] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:34:28.000118 2016] [:notice] [pid 3821] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:34:28.000123 2016] [:notice] [pid 3821] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:34:28.000128 2016] [:notice] [pid 3821] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:34:28.000163 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:34:28.182087 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:34:29.000835 2016] [:notice] [pid 3822] ModSecurity: chroot checkpoint #2 (pid=3822 ppid=1)
[Mon Feb 22 00:34:29.000871 2016] [:notice] [pid 3822] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:34:29.003978 2016] [mpm_prefork:notice] [pid 3822] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:34:29.004010 2016] [core:notice] [pid 3822] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:34:31.541762 2016] [authz_core:error] [pid 3827] [client 65.29.162.224:50568] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:51:43.647330 2016] [authz_core:error] [pid 3829] [client 65.29.162.224:50919] AH01630: client denied by server configuration: /var/www, referer: http://xxxxxxxxxx.com/
[Mon Feb 22 01:00:25.730427 2016] [authz_core:error] [pid 3831] [client 208.91.115.10:47458] AH01630: client denied by server configuration: /var/www

Let me know if there's any more information I should provide.

Answer 1

Not a direct answer to your question... rather an alternative.

Chroot is nice, and not useless (used by containers like LXC for example), but it's a very incomplete idea for security purposes, from a distant past where there weren't other options. It can be easy to break out of a chroot. Additions like in grsecurity, such as not allowing chroot, mount, pivot, chmod, etc. inside chroots help make it more of a jail than a simple chroot, but still incomplete. These days, people don't consider chroot a security feature.

Using MAC (mandatory access control, such as apparmor or selinux) is far superior for securing services. On debian based Linux, I would suggest using apparmor rather than trying to set up SELinux. SELinux works best system-wide, like on RedHat based systems where the distro does that work for you.

And in theory, you can combine the two, but some apparmor guys say it's better to use apparmor alone rather than with a chroot. It's probably subjective.

If you look at the link about escaping a chroot, and then think about MAC, you'll see that it will block it trivially. MAC will not allow the program to use the compiler (your web server doesn't need to execute gcc, does it?), but a chroot doesn't prevent that at all. But also grsecurity without any MAC will block that escape too:

[858944.195371] grsec: denied fchdir outside of chroot to /root/chroot by /root/chroot/unchroot2[unchroot2:11415] uid/euid:0/0 gid/egid:0/0, parent /root/chroot/bin/sh[sh:11407] uid/euid:0/0 gid/egid:0/0

Grsecurity requires replacing the kernel, which I think is more effort than using apparmor. But they can be used together.