| Author |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
 Posted: Wed 07 Mar '07 15:22 Post subject: Jailing Apache on Windows Error |
 |
|
Hi, I have been trying the jailing Apache on windows technique from this site but Apache will not start up, If I try to run the Apache service I get a message saying Error 1069: The service did not start due to a logon failure.
I must have done something wrong somewhere, can anyone suggest a remedy? I'd really like to get this working.
I really thought I'd followed the instructions to the letter.
Thanks
Charlie
Last edited by Charlie-Boy on Wed 07 Mar '07 17:48; edited 1 time in total |
|
| Back to top |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
| Posted: Wed 07 Mar '07 15:49 Post subject: |
|
|
I'm guessing you change the username and pw for the apache service?
If so... does the user account exist?
If it does, does it have the proper access to network and filesystem? |
|
| Back to top |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
| Posted: Wed 07 Mar '07 15:56 Post subject: |
|
|
Thanks for the reply, yes I changed the username for the service and the password, this is where the service fell over, after I changed the service from system to Apache, the Apache user that I created has local logon restriction though, it say's to do this in the technique description.
I think this is the problem, but it does say restrict local logon for this user? Basically I created the user Apache then totally locked out that user from everything as instructed.
It also say's give this user permissions to read and list for the Apache installation folder which I have done. |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
| Posted: Wed 07 Mar '07 17:05 Post subject: |
|
|
Does your Apache user have the Windows User Right to "Log on as a service"?
The list of accounts which hold this right can be viewed by:[Start] [Control Panel] [Administrative Tools] [Local Security Policy]
in the left panel choose: [Security Settings] [User Rights Assignment]
in the right panel, double-click on: [Log on as a service] This will show a list of accounts and groups which are allowed to run as a service. You may need to add your Apache account to this list.
-tom- |
|
| Back to top |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
| Posted: Wed 07 Mar '07 17:47 Post subject: |
|
|
Thanks you were right about the Apache user not being listed under log on as a service, I changed that but am still getting the same failure to Error 1069 The service failed to start due to a logon failure.
It's got me beat. |
|
| Back to top |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
| Posted: Wed 07 Mar '07 18:08 Post subject: |
|
|
OK I have tried to do this all again from the beginning, I no longer get the error but it will not start, instead it says check event viewer to see why it failed. I did and it say's 'The Apache service named reported the following error:
>>> (20024)The given path misformatted or contained invalid characters: Invalid config file path C:\\Program Files\\Apache Software Foundation\\Apache2.2\\conf\\httpd.conf '
I have noticed that I do not have a PID file, I wonder if this is causing the problem? |
|
| Back to top |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
| Posted: Wed 07 Mar '07 21:39 Post subject: |
|
|
I have fixed that last problem seemingly, but now it's complaining that it cannot open logs, all permissions on that folder are set to allow read access, it's driving me insane.  |
|
| Back to top |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
| Posted: Wed 07 Mar '07 23:11 Post subject: |
|
|
| read-access you say? apache does write to log files ^^ try adding write-access. |
|
| Back to top |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
| Posted: Thu 08 Mar '07 1:40 Post subject: |
|
|
Hooray-it's working, thanks Jorge, my mind was stuck in restrictive mode HeHe. 
 *Note* to anyone wishing to accomplish this without the headaches, the instructions say disallow all access to drives, complete restriction, this won't work and you will get an error about not being able to read httpd.conf, I had to allow Apache read permission for my C: drive.
| Quote: | | All you need is to make a local user, say, called "Apache" (you may even set him a password, don't think that makes any sense, but anyway) and deny him local and network login via group policies. Then you need to explicitly deny this user any access to the local drives (deny just everything: dir listing, read, write, modify etc), that's done via Properties - Security. Now any process spawned with "Apache"'s rights won't be able even to LIST the directories. |
|
|
| Back to top |
|
asdfgqw
Joined: 21 Jan 2007
Posts: 12
|
| Posted: Sat 10 Mar '07 3:26 Post subject: |
|
|
charly-boy are you kidding?
jailing a server or whatever on windows? You mean really on windows? The only real existing jail is on FreeBSD. 
Where is the Howto on this site for the windows jail? I must read that.  |
|
| Back to top |
|
Charlie-Boy
Joined: 07 Mar 2007
Posts: 15
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Sat 10 Mar '07 14:34 Post subject: |
|
|
| asdfgqw wrote: | charly-boy are you kidding?
jailing a server or whatever on windows? You mean really on windows? The only real existing jail is on FreeBSD.
Where is the Howto on this site for the windows jail? I must read that. |
You can run Apache as a limited user like on *nix based systems. |
|
| Back to top |
|
Sparky1
Joined: 01 Mar 2007
Posts: 4
Location: Canada
|
| Posted: Thu 15 Mar '07 16:43 Post subject: |
|
|
Not the most Windows/Apache savvy here...
But what I did on my Win2K server with Apache (some was covered in this thread)--
Created user 'apache'
Removed Apache from any group, including Users
Assigned Apache as 'Log On' account for Apache service
Now here's Windows Security for ya--
My Win2K server is pretty much 'locked down'--only my login account has access to it--I removed 'everyone' from security for all drive accesses--just Admin, system and creator/owner left.
If you add 'Apache' as read access to the Apache directory in program files, it won't work because the user 'apache' can't find the apache directory--the user apache needs read access to the root directory, the program files directory and then the apache directory.
As well, the user apache requires read access to specific files in the System32 directory under the Windows directory. This again requires that athe user apache have read access to the windows directory and the system32 directory.
As others have stated, the user apache requires read/write access to the log file directory and the http.pid, as well as read/execute access to any cgi-bin directory (if you're using scripts)
Furthermore, the user apache requires read access to any other web service that your apache program is using, such as Perl and PHP--read access needs to be granted to the apache user, as well as read access to any directory between the root directroy and the web service it needs.
Hope this made sense
I'll break it down this way
Apache user read access--
c:\
c:\winnt
c:\winnt\system32
c:\program files
c:\program files\apache group
c:\program files\apache group\apache2
(then I reset all permissions on child folders to be the same as this one)
c:\php
(then I reset all permissions on child folders to be the same as this one)
c:\perl
(then I reset all permissions on child folders to be the same as this one)
Apache user read/write access
c:\www
(is where my website is stored)
I don't care if the Apache user has write access to my entire web folder, but if you do, you can lock it down to read access only, but remember you must put read/write on the log files folder
Apache user read/execute access
c:\www\cgi-bin
What else...
For my sense of mind, I denied or removed the Apache user account from every other directory. I also denied the apache user all access to any file/program in the Windows diretory, and any file/folder below the System32 directory, and any other files/folders in Program Files (besides the Apache folder and any web app that Apache requires access to).
In the end, I think it's pretty secure. the user account Apache cannot log into the Win2K server as a user--it can only run the Apache service. As well, the apache user account cannot change any file outside of the www directory.
Dunno if this helped anyone.
Sparky |
|
| Back to top |
|
Sparky1
Joined: 01 Mar 2007
Posts: 4
Location: Canada
|
| Posted: Thu 15 Mar '07 17:01 Post subject: |
|
|
My bad--shouldn't of gone off the top of my head--memory isn't what it once was
Forgot the 'execute' on the web services--is required for apache to start
so
apache user read/execute access
c:\program files\apache group\apache2
(then I reset all permissions on child folders to be the same as this one)
c:\php
(then I reset all permissions on child folders to be the same as this one)
c:\perl
(then I reset all permissions on child folders to be the same as this one)
I also had to add the 'write' ability to this directory--
c:\program files\apache group\apache2\logs
hope that clears a little bit up
So yes, you can put the Apache service 'in jail' on a Windows platform
I've never used *nix OS with Apache, so I don't know how easy that is, but this took 10-20 minutes to lock everything down and test. In the future it'll be quicker 'cause now I have notes 
As soon as I figure out which system32 files are needed to run Apache, I'll put a 'deny access' on all other files in that directory as well.
Right now I do know that Apache service requires access to WS2_32.dll I read a website once detailing all the files that Apache requires, but can't find it now. I'm continuing my investigation.
Sparky |
|
| Back to top |
|
Mitron
Joined: 04 Jan 2006
Posts: 63
|
| Posted: Sat 17 Mar '07 23:54 Post subject: |
|
|
Sparky1:
You can save yourself allot of hassles if you use another drive and/or partition for your web applications.
Example:
Install Apache/PHP/MySQL and any other applications to a folder on a separate drive/partition. i.e. D:\apps
Then add those to your Windows PATH, if they aren't already there, i.e. D:\apps\apache\bin;D:\apps\php;D:\apps\mysql\bin
You can also create a folder for virtual hosts on that drive/partition, i.e. D:\www and place all your sites in there.
What this does is allow you to simply give your apache user read access to the D:\ drive then specific permissions for the specific folders you need the apache user to have access to and eliminate access to the entire C:\ drive.
I have apache running fine without access to any part of the C:\ drive however I only have apache/php/mysql running so far. I haven't loaded Imagick or Pearl yet. |
|
| Back to top |
|
Kanashii
Joined: 17 Jul 2006
Posts: 155
Location: Porando
|
| Posted: Mon 19 Mar '07 4:39 Post subject: |
|
|
mod_chroot - makes running Apache [ Linux ] in a secure chroot environment easy
You don't need to create a special directory hierarchy containing /dev, /lib, /etc.
But not for windows wrr |
|
| Back to top |
|
