Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Setup a CHROOT jail at `/srv/http` for a public Nginx server on Arch Linux.
pacman -S nginx
export JAIL=/srv/http
# Create Necessary Devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9
# Create Necessary Folders
mkdir -p $JAIL/etc/nginx/logs
mkdir -p $JAIL/usr/{lib,bin}
mkdir -p $JAIL/usr/share/nginx
mkdir -p $JAIL/var/{log,lib}/nginx
mkdir -p $JAIL/www/cgi-bin
mkdir -p $JAIL/{run,tmp}
cd $JAIL
ln -s usr/lib lib
ln -s usr/lib lib64
ln -s usr/lib usr/lib64
ln -s usr/bin bin
# Mount tmpfs
mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'
mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'
touch $JAIL/etc/fstab
echo 'tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0' >> $JAIL/etc/fstab
echo 'tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0' >> $JAIL/etc/fstab
# Populate the chroot
cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
cp -r /usr/share/nginx/html/* $JAIL/www
cp /usr/bin/nginx $JAIL/usr/bin/
cp -r /var/lib/nginx $JAIL/var/lib/nginx
cp /usr/bin/false $JAIL/bin
cp /lib64/ $JAIL/lib
cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib
cp /usr/lib/libnss_* $JAIL/usr/lib
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,,,resolv.conf,host.conf,nginx} $JAIL/etc
touch $JAIL/etc/{group,passwd,shadow,gshadow}
echo http:x:33: >> $JAIL/etc/group
echo nobody:x:99: >> $JAIL/etc/group
echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd
echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd
echo http:x:14871:::::: >> $JAIL/etc/shadow
echo nobody:x:14871:::::: >> $JAIL/etc/shadow
echo http::: >> $JAIL/etc/gshadow
echo nobody::: >> $JAIL/etc/gshadow
touch $JAIL/etc/shells
touch $JAIL/run/
chown -R root:root $JAIL/
chown -R http:http $JAIL/{www,run}
chown -R http:http $JAIL/etc/nginx
chown -R http:http $JAIL/var/{log,lib}/nginx
chown http:http $JAIL/run/
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x
find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x
find $JAIL/usr/bin -type f -print | xargs chmod ug+rx
find $JAIL/ -group http -user http -print | xargs chmod o-rwx
chmod +rw $JAIL/tmp
chmod +rw $JAIL/run
setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx
# Modify nginx.service to start chroot
echo Install modified nginx.service script in /etc/systemd/system
pacman -Rsc nginx
Description=Nginx (Chroot)
ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload
ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop

This comment has been minimized.

Copy link
Owner Author

adityamukho commented Nov 8, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.