Volatile Systems

Simple Lighttpd chroot on Debian

_{Published: 2014-01-22}
_{Updated: 2014-08-16}

This will get you an easily maintainable chrooted Lighttpd setup with PHP and SQLite support, so you can run Drupal. Lua support is added for clean URLs, since people often want this on their Drupal setup.

Originally, this was tested and deployed on Debian 7 (Wheezy), but after upgrading to Testing (Jessie) Drupal displayed the dreaded Drupal WSOD (both inside and outside the chroot). Since Drupal is pretty much overkill for my blogging requirements, I decided to move to a lighter, simpler CMS that didn't require a database backend (hello Pico!).

Creating the chroot

To build the chroot, we'll use the makejail utility (in Debian's repos). Keeping a jail up to date is a tedious process, but makejail will take most of the work out of your hands; it will clean and rebuild the chroot when you run it (this is configurable). A sample makejail config tuned for Drupal with Lua and SQLite support will get you going. Make sure you add the packages you need; you do not need to install Lighttpd itself into the chroot.

Do not forget to create the directories Lighttpd will be accessing (log directories in $chroot/var/log, state files in $chroot/var/run/lighttpd/, etc.).

Configuring Lighttpd

Your configuration should at least contain the following extra settings:

server.chroot               = "/var/chroot/"

Do keep in mind though the server.chroot directive is absolute, and all paths that follow (e.g. server.document-root or server.upload-dirs) are relative to that directory. The only exception seems to be the server.pid-file setting.

Making sure PHP runs right

You might notice broken web pages if you run PHP code, this is because makejail does not copy everything in /etc/php5/ by default. Copy it over manually. The latest version of the makejail config should remedy this.

Clean URLs

The cleanest solution I found so far for clean URL support on Lighttpd is running some Lua script. Make sure you copy that into the chroot as well.

Separating the chrooted Lighttpd instance

If you plan on running two Lighttpd instances, make sure configuration and log files don't overlap. To retain the full functionality of the Debian lighttpd package (init script, log rotation, ...) you can do the following:

Use a separate init script;
Use a separate logrotate config.

For extra security, create a new user solely for the chrooted lighttpd and be sure to set its shell to /bin/false. The init script provided e.g. uses a user called 'lightychroot'. The logrotate configuration needs to be set to your chroot path.

You also need to add the user (and group, if applicable) to your lighttpd configration:

server.username             = "lightychroot"
server.groupname            = "lightychroot"

Additional binaries

If you need additional binaries (or packages), add them to the makejail configuration. If you have status page that reads /proc for uptime or other information, or non-web functionality that you rely on, look for alternatives, since binding proc into your chroot is an additional attack vector, weakening your chroot considerably.