Skip to content

Instantly share code, notes, and snippets.

@dorneanu
Last active January 21, 2020 13:01
Show Gist options
  • Save dorneanu/9f940b2ded9c05b5be9f to your computer and use it in GitHub Desktop.
Save dorneanu/9f940b2ded9c05b5be9f to your computer and use it in GitHub Desktop.
Put nginx and PHP to jail using Debian 8
#!/bin/bash
# Config
N2CHROOT=~victor/tmp/n2chroot
export JAIL=/var/www/chroot
function create_chroot {
# Create devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9
# Create directories
mkdir -p $JAIL/{etc,bin,usr,var}
mkdir -p $JAIL/usr/{lib,sbin,bin}
mkdir -p $JAIL/{run,tmp}
mkdir -p $JAIL/var/run
# Check if 64-bit system
if [ $(uname -m) = "x86_64" ]; then
cd $JAIL; ln -s usr/lib lib64
cd $JAIL/usr; ln -s lib lib64
else
cd $JAIL; ln -s usr/lib lib
fi
# Copy important stuff
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $JAIL/etc
}
function setup_nginx {
# Create directories
mkdir -p $JAIL/usr/share/nginx
mkdir -p $JAIL/var/{log,lib}/nginx
mkdir -p $JAIL/www/cgi-bin
# Copy files
cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
cp /usr/sbin/nginx $JAIL/usr/sbin/
cp -r /var/lib/nginx $JAIL/var/lib/nginx
# Copy libraries
${N2CHROOT} /usr/sbin/nginx
if [ $(uname -m) = "x86_64" ]; then
cp /lib/x86_64-linux-gnu/libnss_* $JAIL/lib/x86_64-linux-gnu/
else
cp /lib/libnss_* $JAIL/lib/
fi
# Copy config files and other important stuff
cp -rfvL /etc/nginx $JAIL/etc
# Create PID file
touch $JAIL/run/nginx.pid
# Copy the nginx binary
cp /usr/sbin/nginx $JAIL/usr/sbin/
}
function setup_php5-fpm {
# Copy config files
cp -rfvl /etc/php5 $JAIL/etc/
cp -rfvl /usr/share/zoneinfo $JAIL/usr/share/
# Copy libraries
${N2CHROOT} /usr/sbin/php5-fpm
cp -rfvl /usr/lib/php5 $JAIL/usr/lib/
for f in /usr/lib/php5/20131226/*.so; do
${N2CHROOT} $f
done
# Copy the php5-fpm binary
cp /usr/sbin/php5-fpm $JAIL/usr/sbin/
}
function add_security {
# Most instructions from https://wiki.archlinux.org/index.php/nginx#Installation_in_a_chroot
# Add users
echo "www-data:x:1337:1337:www-data:/:/bin/false" >> $JAIL/etc/passwd
echo "nobody:x:99:99:nobody:/:/bin/false" >> $JAIL/etc/passwd
# Add groups
echo "www-data:x:1337:" >> $JAIL/etc/group
echo "nobody:x:99:" >> $JAIL/etc/group
# Add shadow
echo "www-data:x:14871::::::" >> $JAIL/etc/shadow
echo "nobody:x:14871::::::" >> $JAIL/etc/shadow
# Add gshadow
echo "www-data:::" >> $JAIL/etc/gshadow
echo "nobody:::" >> $JAIL/etc/gshadow
# Set ownerships
chown -R root:root $JAIL/
chown -R www-data:www-data $JAIL/www
chown -R www-data:www-data $JAIL/etc/{nginx,php5}
chown -R www-data:www-data $JAIL/var/{log,lib}/nginx
chown www-data:www-data $JAIL/run/nginx.pid
# Restrict permissions
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod u=x,og=x
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x
find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod u=rw,og=
find $JAIL/usr/sbin -type f -print | xargs chmod u=rx,og-rwx
find $JAIL/ -group www-data -user www-data -print | xargs chmod og-rwx
chmod +rw $JAIL/tmp
chmod +rw $JAIL/run
# Give permissions to bind ports < 1024
setcap 'cap_net_bind_service=+ep' $JAIL/usr/sbin/nginx
}
# Run functions
create_chroot
setup_nginx
setup_php5-fpm
add_security
#!/bin/bash
set -e
# Use this script to copy shared (libs) files to nginx chrooted
# jail server. This is tested on 64 bit Linux (Redhat and Friends only)
# ----------------------------------------------------------------------------
# Written by Vivek Gite <http://www.cyberciti.biz/>
# (c) 2006 nixCraft under GNU GPL v2.0+
# Last updated on: Apr/06/2010 by Vivek Gite
# ----------------------------------------------------------------------------
# + Added ld-linux support
# + Added error checking support
# + Added nginx suupport
# + Added for loop so that we can process all files on cmd
# ----------------------------------------------------------------------------
# See url for usage:
# http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/
# ----------------------------------------------------------------------------
# Set CHROOT directory name
BASE="/var/www/chroot"
file="$@"
sync_support_libs(){
local d="$1" # JAIL ROOT
local pFILE="$2" # copy bin file libs
local files=""
local _cp="/bin/cp"
# get rid of blanks and (0x00007fff0117f000)
files="$(ldd $pFILE | awk '{ print $3 }' | sed -e '/^$/d' -e '/(*)$/d')"
for i in $files
do
dcc="${i%/*}" # get dirname only
[ ! -d ${d}${dcc} ] && mkdir -p ${d}${dcc}
${_cp} -f $i ${d}${dcc}
done
# Works with 32 and 64 bit ld-linux
sldl="$(ldd $pFILE | grep 'ld-linux' | awk '{ print $1}')"
sldlsubdir="${sldl%/*}"
[ ! -f ${d}${sldl} ] && ${_cp} -f ${sldl} ${d}${sldlsubdir}
}
usage(){
echo "Syntax : $0 /usr/sbin/nginx"
echo "Example: $0 /usr/bin/php5-cgi"
exit 1
}
[ $# -eq 0 ] && usage
[ ! -d $BASE ] && mkdir -p $BASE
# copy all files
for f in $file
do
sync_support_libs "${BASE}" "${f}"
done
#!/bin/sh
### BEGIN INIT INFO
# Provides: nginx-chroot
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start nginx in a chroot
### END INIT INFO
CHROOT=/var/www/chroot
case "$1" in
start)
/usr/sbin/chroot $CHROOT /usr/sbin/nginx -q -g 'daemon on; master_process on;'
;;
reload)
/usr/sbin/chroot $CHROOT /usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
;;
stop)
pgrep nginx | xargs kill -9
;;
*)
echo "Usage: $N {start|reload|stop}" >&2
exit 1
;;
esac
exit 0
#!/bin/bash
export N2CHROOT=/home/bitnami/scripts/n2chroot
export JAIL=/home/bitnami/nginxstack-chroot
export BITNAMI=/home/bitnami/nginxstack
export BITNAMI_INSTALLDIR=$JAIL/$BITNAMI
function create_chroot {
# Create devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9
# Create directories
mkdir -p $JAIL/{etc,bin,usr,var}
mkdir -p $JAIL/usr/{lib,sbin,bin}
mkdir -p $JAIL/{run,tmp}
mkdir -p $JAIL/var/run
mkdir -p $JAIL/$BITNAMI/{php,nginx,mysql}
mkdir -p $JAIL/$BITNAMI/php/lib
mkdir -p $JAIL/$BITNAMI/nginx/lib
mkdir -p $JAIL/$BITNAMI/common/lib
mkdir -p $JAIL/$BITNAMI/mysql/lib
# Check if 64-bit system
if [ $(uname -m) = "x86_64" ]; then
mkdir -p $JAIL/lib/x86_64-linux-gnu
cd $JAIL; ln -s usr/lib lib64
cd $JAIL/usr; ln -s lib lib64
else
cd $JAIL; ln -s usr/lib lib
fi
# Copy important stuff
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $JAIL/etc
# Cp bitnami to the chroot
# cp -Rv $BITNAMI $JAIL/home/bitnami/
}
function add_users {
# Most instructions from https://wiki.archlinux.org/index.php/nginx#Installation_in_a_chroot
# Add users
echo "daemon:x:1:1:daemon:/:/bin/false" >> $JAIL/etc/passwd
echo "mysql:x:100:101:MySQL Server,,,:/nonexistent:/bin/false" >> $JAIL/etc/passwd
echo "nobody:x:99:99:nobody:/:/bin/false" >> $JAIL/etc/passwd
# Add groups
echo "daemon:x:1:" >> $JAIL/etc/group
echo "mysql:x:101:" >> $JAIL/etc/group
echo "nobody:x:99:" >> $JAIL/etc/group
# Add shadow
echo "daemon:x:14871::::::" >> $JAIL/etc/shadow
echo "mysql:!:16755:0:99999:7:::" >> $JAIL/etc/shadow
echo "nobody:x:14871::::::" >> $JAIL/etc/shadow
# Add gshadow
echo "daemon:::" >> $JAIL/etc/gshadow
echo "mysql:!::" >> $JAIL/etc/gshadow
echo "nobody:::" >> $JAIL/etc/gshadow
}
function add_libraries {
# Add system stuff
cp /lib/x86_64-linux-gnu/libnsl* $JAIL/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libnss* $JAIL/lib/x86_64-linux-gnu/
# Add nginx stuff
# $N2CHROOT $BITNAMI_INSTALLDIR/nginx/sbin/.nginx.bin
cp /lib/x86_64-linux-gnu/libnsl* $BITNAMI_INSTALLDIR/common/lib/
cp /lib/x86_64-linux-gnu/libnss* $BITNAMI_INSTALLDIR/common/lib/
cp /lib/x86_64-linux-gnu/libpthread* $BITNAMI_INSTALLDIR/common/lib/
cp /lib/x86_64-linux-gnu/libpcre* $BITNAMI_INSTALLDIR/common/lib/
cp /lib/x86_64-linux-gnu/libdl* $BITNAMI_INSTALLDIR/common/lib/
cp /lib/x86_64-linux-gnu/libgcc* $BITNAMI_INSTALLDIR/common/lib/
cp /lib/x86_64-linux-gnu/libresolv* $BITNAMI_INSTALLDIR/common/lib/
# Add php-fpm stuff
cd $BITNAMI_INSTALLDIR/php/lib
ln -s ../../common/lib/libresolv.so.2
# Add mysql stuff
cd $BITNAMI_INSTALLDIR/mysql/lib
ln -s ../../common/lib/libdl.so.2
ln -s ../../common/lib/libgcc_s.so.1
ln -s ../../common/lib/libpthread.so.0
}
function add_binaries {
# Add shell
cp /bin/sh $JAIL/bin/
$N2CHROOT /bin/sh
# Add nohup (mysqld needs it)
cp /usr/bin/nohup $JAIL/usr/bin
}
function fix_permissions {
cd $BITNAMI_INSTALLDIR/mysql
chown -R mysql:mysql .
cd $BITNAMI_INSTALLDIR/php
chown -R daemon:daemon .
cd $BITNAMI_INSTALLDIR/nginx
chown -R daemon:daemon .
}
# Run functions
create_chroot
add_users
add_libraries
add_binaries
fix_permissions
#!/bin/sh
### BEGIN INIT INFO
# Provides: php5-fpm-chroot
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start php5-fpm in a chroot
### END INIT INFO
CHROOT=/var/www/chroot
case "$1" in
start)
/usr/sbin/chroot $CHROOT /usr/sbin/php5-fpm --daemonize --fpm-config /etc/php5/fpm/php-fpm.conf
;;
stop)
pgrep php | xargs kill -9
;;
*)
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment