Skip to content

Instantly share code, notes, and snippets.

@Cilyan
Forked from wilbowma/jail.pl
Last active Feb 29, 2020
Embed
What would you like to do?
A perl script to create nginx chroot in arch linux.
#!/usr/bin/perl
# This script was hastily cobbled together for my own use. It can
# probably break your system. Use at your own risk.
$JAIL = "/srv/http";
$USER = "http";
$GROUP = "http";
$WWW_DIR = "www";
$BIN = "bin"; # "bin" or "sbin"
sub run{
# Only print the commands that will be executed until the user
# manually decides to run them.
print "$_[0]\n";
# Instead of enabling below system() call, consider rather using this
# script to create a shell script that you can review before running.
# perl jail.pl | tee jail.sh
# $EDITOR jail.sh
# sh jail.sh
#system($_[0]);
}
# Create directory structure
@dirs = (
"etc/nginx",
"usr/{lib,$BIN}",
"usr/share/nginx",
"var/log/nginx",
"var/lib/nginx/proxy",
$WWW_DIR,
"$WWW_DIR/cgi-bin"
);
foreach (@dirs) {
run("mkdir -p $JAIL/$_");
}
# Copy default webpages
run("cp -r /usr/share/nginx/html/* $JAIL/$WWW_DIR"); # Optional
# Copy executable
run("cp /usr/$BIN/nginx $JAIL/usr/$BIN/");
# Create symbolic links
@links = (
"usr/lib lib",
"usr/lib lib64",
"lib usr/lib64"
);
foreach (@links) {
run("cd $JAIL; ln -s $_");
}
# Install necessary lib dependencies
@ldds = split("\n", `ldd /usr/$BIN/nginx`);
foreach (@ldds) {
if(m@=>\s*(/.*/lib.*) \(0x@){
run("cp $1 $JAIL$1");
}
}
# Extra dependencies for Name Switch Service
run("cp /usr/lib/libnss_* $JAIL/usr/lib/");
# Copy configuration files
run("cp -Lrf /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc");
# Use system's group, passwd, gshadow and shadow as base for ours
# Take group http and user http as reference, but change to names chosen at top of script
# Also copy user nobody
run("cat /etc/group | grep -E '^(http|nobody):' | sed -r 's/http/$GROUP/g' > $JAIL/etc/group");
run("cat /etc/passwd | grep -E '^(http|nobody):' | sed -r 's#/srv/http#/#' | sed -r 's/http/$USER/g' > $JAIL/etc/passwd");
run("cat /etc/gshadow | grep -E '^(http|nobody):' | sed -r 's/http/$GROUP/g' > $JAIL/etc/gshadow");
run("cat /etc/shadow | grep -E '^(http|nobody):' | sed -r 's/http/$USER/g' > $JAIL/etc/shadow");
run("touch $JAIL/etc/shells");
# Setup permissions
run("chown -R root:root $JAIL/");
run("chown -R $USER:$GROUP $JAIL/$WWW_DIR");
run("chown -R $USER:$GROUP $JAIL/etc/nginx");
run("chown -R $USER:$GROUP $JAIL/var/{log,lib}/nginx");
run("find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw");
run("find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x");
run("find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x");
run("find $JAIL/usr/$BIN -type f -print | xargs chmod ug+rx");
run("find $JAIL/ -group $GROUP -user $USER -print | xargs chmod o-rwx");
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target network-online.target nss-lookup.target
[Service]
User=http
Group=http
Type=forking
PIDFile=/run/nginx/nginx.pid
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
AmbientCapabilities=CAP_NET_BIND_SERVICE
PrivateDevices=yes
NoNewPrivileges=yes
SyslogLevel=err
RootDirectory=/srv/http
RuntimeDirectory=nginx
TemporaryFileSystem=/srv/http/tmp:rw,noexec,nosuid,nodev,size=10M
ExecStart=/usr/bin/nginx -g 'pid /run/nginx/nginx.pid; error_log stderr;'
ExecReload=/usr/bin/nginx -g 'pid /run/nginx/nginx.pid; error_log stderr;' -s reload
KillMode=mixed
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment