Configure Lighttpd with chroot Jail Environment on centos-5 Machine

Common Information: chroot jail directory /webroot lighttpd document root /webroot/var/www/lighttpd

1. Install lighttpd, php and mysql server

yum install lighttpd lighttpd-fastcgi php php-cgi php-cli php-mysql mysql mysql-client mysql-server php-xml php-mbstring php mcrypt lua libltdl-libtool openss-devel php-pdo php-gd

2. Prepare the file system

mkdir /webroot

mkdir /webroot/tmp/

chmod 777 /webroot/tmp/

mkdir /webroot/etc

mkdir -p /webroot/var/log/lighttpd

chown lighttpd:lighttpd /webroot/var/log/lighttpd

mkdir -p /webroot/var/tmp/lighttpd/cache/compress/

chown lighttpd:lighttpd /webroot/var/tmp/lighttpd/cache/compress/

mkdir -p /webroot/lighttpd

chown lighttpd:lighttpd /webroot/lighttpd

chmod 0700 /webroot/lighttpd

mkdir -p /webroot/var/run

mkdir -p /webroot/var/lib/php/session

chown lighttpd:lighttpd /webroot/var/lib/php/session -R

ls -dl /webroot/lighttpd

Put l2chroot in /bin directory and set executable permission


mv l2chroot.txt l2chroot

cp l2chroot /bin

chmod +x /bin/l2chroot


3. Put PHP in the jail

Add “cgi.fix_pathinfo = 1” line at the end of /etc/php.ini file

mkdir -p /webroot/usr/bin

cp /usr/bin/php-cgi /webroot/usr/bin/

cp /usr/bin/php /webroot/usr/bin/

cp /usr/bin/spawn-cgi /webroot/usr/bin

cp -avr /etc /webroot

Copy all php shared libraries used by /usr/bin/php and /usr/bin/php-cgi using your l2chroot script: /bin/l2chroot /usr/bin/php /bin/l2chroot /usr/bin/php-cgi cp /lib/ /webroot/lib

4. Put php MySQL extension in the jail. To access MySQL database server you need to use php-mysql extension. Copy php mysql extension from /usr/lib/php/modules directory.

Copy /usr/lib/php/modules/ file to /webroot/usr/lib/php/modules/

mkdir -p /webroot/usr/lib/php/modules

cp /usr/lib/php/modules/ /webroot/usr/lib/php/modules/

cp /usr/lib/php/modules/ /webroot/usr/lib/php/modules/

cp /usr/lib/php/modules/ /webroot/usr/lib/php/modules/

cp /usr/lib/php/modules/ /webroot/usr/lib/php/modules/

cp /usr/lib/php/modules/ /webroot/usr/lib/php/modules/

cp /usr/lib/php/modules/ /webroot/usr/lib/php/modules/

/bin/l2chroot /usr/lib/php/modules/

/bin/l2chroot /usr/lib/php/modules/

/bin/l2chroot /usr/lib/php/modules/

/bin/l2chroot /usr/lib/php/modules/

/bin/l2chroot /usr/lib/php/modules/

/bin/l2chroot /usr/lib/php/modules/

6. Put pear in jail Copy /usr/share/pear directory to /webroot/usr/share

7. Configure lighttpd to run from chrooted jail.

Configure lighttpd by editing /etc/lighttpd/lighttpd.conf file: vi /etc/lighttpd/lighttpd.conf

Server.chroot = “/webroot”

server.document-root = Server.chroot + “/var/www/lighttpd”

Restart lightpd server /etc/init.d/lighttpd start

Test jail setup create info.php & try to execute it http://ip_address/info.php

===================================================================== ISSUES FACED:

Error 1. Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.

Solution: create /webroot/var/lib/php/session directory

mkdir -p /webroot/var/lib/php/session

Assign ownership to lighttpd recursively: chown lighttpd:lighttpd -R webroot/var/lib/php/session /tmp should have 777 permissions recursively, /var/tmp should have 755 with lighttpd ownership, /var/lib/php 755 with root:lighttpd -R and /var/lib/php/session with lighttpd ownership 755 permissions.

Error 2. #2002 Cannot log in to the MySQL server

Solution: Change host directive from localhost to “” in phpmyadmin config file(/webroot/var/www/lighttpd/phpmyadmin/ Should look like this:

$cfg[‘Servers’][$i][‘host’] = ‘’;

Error 3. Spawning fcgi failed, Configuration of plugins failed. Going down

Solution: Check the libraries required by php-cgi ldd /usr/bin/fcgi Then confirm all the libraries exists in webroot or not.

Error 4. If you face issue of database import in phpmyadmin

Solution: Assign 777 permissions to /webroot/tmp /webroot/var/tmp & /webroot/var/lib/php.

Error 5. If got any error of missing library even if it presents

Solution: mount –bind /proc /webroot/proc

Leave a Reply

Your email address will not be published. Required fields are marked *