Using ModSecurity to create a chroot jail
To successfully be able to use SecChrootDir to jail the Apache process, we need to create the actual directory that we will confine Apache to, as well as a few more directories that Apache needs:
mkdir -p /chroot/etc/httpd/run mkdir -p /chroot/var/run
Using the -p flag when executing mkdir ensures that sub-directories are created as needed and avoids the need to issue an mkdir call for each directory in the path. For example, the first command creates the following directories for us:
/chroot /chroot/etc /chroot/etc/httpd /chroot/etc/httpd/run
Let's also change the permission of /chroot and the files and directories it contains so that the owner is the Apache user:
chown -R apache:apache /chroot
The final piece of the puzzle is to copy all the files in your web server's document root to the corresponding location under /chroot. For example, if you store your web content in /var/www, then you would need to copy this directory to /chroot/var/www:...
