logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Jailing Apache on Windows Error
Author
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Wed 07 Mar '07 15:22    Post subject: Jailing Apache on Windows Error Reply with quote

Hi, I have been trying the jailing Apache on windows technique from this site but Apache will not start up, If I try to run the Apache service I get a message saying Error 1069: The service did not start due to a logon failure.

I must have done something wrong somewhere, can anyone suggest a remedy? I'd really like to get this working.

I really thought I'd followed the instructions to the letter.

Thanks

Charlie


Last edited by Charlie-Boy on Wed 07 Mar '07 17:48; edited 1 time in total
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Wed 07 Mar '07 15:49    Post subject: Reply with quote

I'm guessing you change the username and pw for the apache service?
If so... does the user account exist?

If it does, does it have the proper access to network and filesystem?
Back to top
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Wed 07 Mar '07 15:56    Post subject: Reply with quote

Thanks for the reply, yes I changed the username for the service and the password, this is where the service fell over, after I changed the service from system to Apache, the Apache user that I created has local logon restriction though, it say's to do this in the technique description.

I think this is the problem, but it does say restrict local logon for this user? Basically I created the user Apache then totally locked out that user from everything as instructed.

It also say's give this user permissions to read and list for the Apache installation folder which I have done.
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Wed 07 Mar '07 17:05    Post subject: Reply with quote

Does your Apache user have the Windows User Right to "Log on as a service"?

The list of accounts which hold this right can be viewed by:
    [Start] [Control Panel] [Administrative Tools] [Local Security Policy]

    in the left panel choose: [Security Settings] [User Rights Assignment]

    in the right panel, double-click on: [Log on as a service]
This will show a list of accounts and groups which are allowed to run as a service. You may need to add your Apache account to this list.

-tom-
Back to top
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Wed 07 Mar '07 17:47    Post subject: Reply with quote

Thanks you were right about the Apache user not being listed under log on as a service, I changed that but am still getting the same failure to Error 1069 The service failed to start due to a logon failure.

It's got me beat.
Back to top
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Wed 07 Mar '07 18:08    Post subject: Reply with quote

OK I have tried to do this all again from the beginning, I no longer get the error but it will not start, instead it says check event viewer to see why it failed. I did and it say's 'The Apache service named reported the following error:
>>> (20024)The given path misformatted or contained invalid characters: Invalid config file path C:\\Program Files\\Apache Software Foundation\\Apache2.2\\conf\\httpd.conf '


I have noticed that I do not have a PID file, I wonder if this is causing the problem?
Back to top
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Wed 07 Mar '07 21:39    Post subject: Reply with quote

I have fixed that last problem seemingly, but now it's complaining that it cannot open logs, all permissions on that folder are set to allow read access, it's driving me insane. Mad
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Wed 07 Mar '07 23:11    Post subject: Reply with quote

read-access you say? apache does write to log files ^^ try adding write-access.
Back to top
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Thu 08 Mar '07 1:40    Post subject: Reply with quote

Hooray-it's working, thanks Jorge, my mind was stuck in restrictive mode HeHe. Laughing

Exclamation *Note* to anyone wishing to accomplish this without the headaches, the instructions say disallow all access to drives, complete restriction, this won't work and you will get an error about not being able to read httpd.conf, I had to allow Apache read permission for my C: drive.


Quote:
All you need is to make a local user, say, called "Apache" (you may even set him a password, don't think that makes any sense, but anyway) and deny him local and network login via group policies. Then you need to explicitly deny this user any access to the local drives (deny just everything: dir listing, read, write, modify etc), that's done via Properties - Security. Now any process spawned with "Apache"'s rights won't be able even to LIST the directories.
Back to top
asdfgqw



Joined: 21 Jan 2007
Posts: 12

PostPosted: Sat 10 Mar '07 3:26    Post subject: Reply with quote

charly-boy are you kidding?

jailing a server or whatever on windows? You mean really on windows? The only real existing jail is on FreeBSD. Very Happy

Where is the Howto on this site for the windows jail? I must read that. Mr. Green
Back to top
Charlie-Boy



Joined: 07 Mar 2007
Posts: 15

PostPosted: Sat 10 Mar '07 14:01    Post subject: Reply with quote

http://www.apachelounge.com/article.php?op=Print&sid=68

I wouldn't follow the instructions explicitly though, you will have problems if you do. Wink
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sat 10 Mar '07 14:34    Post subject: Reply with quote

asdfgqw wrote:
charly-boy are you kidding?

jailing a server or whatever on windows? You mean really on windows? The only real existing jail is on FreeBSD. Very Happy

Where is the Howto on this site for the windows jail? I must read that. Mr. Green


You can run Apache as a limited user like on *nix based systems.
Back to top
Sparky1



Joined: 01 Mar 2007
Posts: 4
Location: Canada

PostPosted: Thu 15 Mar '07 16:43    Post subject: Reply with quote

Not the most Windows/Apache savvy here...
But what I did on my Win2K server with Apache (some was covered in this thread)--
Created user 'apache'
Removed Apache from any group, including Users
Assigned Apache as 'Log On' account for Apache service
Now here's Windows Security for ya--
My Win2K server is pretty much 'locked down'--only my login account has access to it--I removed 'everyone' from security for all drive accesses--just Admin, system and creator/owner left.
If you add 'Apache' as read access to the Apache directory in program files, it won't work because the user 'apache' can't find the apache directory--the user apache needs read access to the root directory, the program files directory and then the apache directory.
As well, the user apache requires read access to specific files in the System32 directory under the Windows directory. This again requires that athe user apache have read access to the windows directory and the system32 directory.
As others have stated, the user apache requires read/write access to the log file directory and the http.pid, as well as read/execute access to any cgi-bin directory (if you're using scripts)
Furthermore, the user apache requires read access to any other web service that your apache program is using, such as Perl and PHP--read access needs to be granted to the apache user, as well as read access to any directory between the root directroy and the web service it needs.
Hope this made sense
I'll break it down this way
Apache user read access--

c:\
c:\winnt
c:\winnt\system32
c:\program files
c:\program files\apache group
c:\program files\apache group\apache2
(then I reset all permissions on child folders to be the same as this one)
c:\php
(then I reset all permissions on child folders to be the same as this one)
c:\perl
(then I reset all permissions on child folders to be the same as this one)

Apache user read/write access
c:\www
(is where my website is stored)
I don't care if the Apache user has write access to my entire web folder, but if you do, you can lock it down to read access only, but remember you must put read/write on the log files folder

Apache user read/execute access
c:\www\cgi-bin

What else...

For my sense of mind, I denied or removed the Apache user account from every other directory. I also denied the apache user all access to any file/program in the Windows diretory, and any file/folder below the System32 directory, and any other files/folders in Program Files (besides the Apache folder and any web app that Apache requires access to).

In the end, I think it's pretty secure. the user account Apache cannot log into the Win2K server as a user--it can only run the Apache service. As well, the apache user account cannot change any file outside of the www directory.

Dunno if this helped anyone.

Sparky
Back to top
Sparky1



Joined: 01 Mar 2007
Posts: 4
Location: Canada

PostPosted: Thu 15 Mar '07 17:01    Post subject: Reply with quote

My bad--shouldn't of gone off the top of my head--memory isn't what it once was
Forgot the 'execute' on the web services--is required for apache to start
so

apache user read/execute access

c:\program files\apache group\apache2
(then I reset all permissions on child folders to be the same as this one)
c:\php
(then I reset all permissions on child folders to be the same as this one)
c:\perl
(then I reset all permissions on child folders to be the same as this one)

I also had to add the 'write' ability to this directory--
c:\program files\apache group\apache2\logs

hope that clears a little bit up

So yes, you can put the Apache service 'in jail' on a Windows platform
I've never used *nix OS with Apache, so I don't know how easy that is, but this took 10-20 minutes to lock everything down and test. In the future it'll be quicker 'cause now I have notes Smile

As soon as I figure out which system32 files are needed to run Apache, I'll put a 'deny access' on all other files in that directory as well.

Right now I do know that Apache service requires access to WS2_32.dll I read a website once detailing all the files that Apache requires, but can't find it now. I'm continuing my investigation.

Sparky
Back to top
Mitron



Joined: 04 Jan 2006
Posts: 63

PostPosted: Sat 17 Mar '07 23:54    Post subject: Reply with quote

Sparky1:

You can save yourself allot of hassles if you use another drive and/or partition for your web applications.

Example:

Install Apache/PHP/MySQL and any other applications to a folder on a separate drive/partition. i.e. D:\apps

Then add those to your Windows PATH, if they aren't already there, i.e. D:\apps\apache\bin;D:\apps\php;D:\apps\mysql\bin

You can also create a folder for virtual hosts on that drive/partition, i.e. D:\www and place all your sites in there.

What this does is allow you to simply give your apache user read access to the D:\ drive then specific permissions for the specific folders you need the apache user to have access to and eliminate access to the entire C:\ drive.

I have apache running fine without access to any part of the C:\ drive however I only have apache/php/mysql running so far. I haven't loaded Imagick or Pearl yet. Smile
Back to top
Kanashii



Joined: 17 Jul 2006
Posts: 155
Location: Porando

PostPosted: Mon 19 Mar '07 4:39    Post subject: Reply with quote

mod_chroot - makes running Apache [ Linux ] in a secure chroot environment easy

You don't need to create a special directory hierarchy containing /dev, /lib, /etc.
But not for windows wrr
Back to top


Reply to topic   Topic: Jailing Apache on Windows Error View previous topic :: View next topic
Post new topic   Forum Index -> Apache