Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup a CHROOT jail at `/srv/http` for a public Nginx server on Arch Linux.
#!/bin/bash
pacman -S nginx
export JAIL=/srv/http
# Create Necessary Devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9
# Create Necessary Folders
mkdir -p $JAIL/etc/nginx/logs
mkdir -p $JAIL/usr/{lib,bin}
mkdir -p $JAIL/usr/share/nginx
mkdir -p $JAIL/var/{log,lib}/nginx
mkdir -p $JAIL/www/cgi-bin
mkdir -p $JAIL/{run,tmp}
cd $JAIL
ln -s usr/lib lib
ln -s usr/lib lib64
ln -s usr/lib usr/lib64
ln -s usr/bin bin
# Mount tmpfs
mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'
mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'
touch $JAIL/etc/fstab
echo 'tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0' >> $JAIL/etc/fstab
echo 'tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0' >> $JAIL/etc/fstab
# Populate the chroot
cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
cp -r /usr/share/nginx/html/* $JAIL/www
cp /usr/bin/nginx $JAIL/usr/bin/
cp -r /var/lib/nginx $JAIL/var/lib/nginx
cp /usr/bin/false $JAIL/bin
cp /lib64/ld-linux-x86-64.so.2 $JAIL/lib
cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib
cp /usr/lib/libnss_* $JAIL/usr/lib
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc
touch $JAIL/etc/{group,passwd,shadow,gshadow}
echo http:x:33: >> $JAIL/etc/group
echo nobody:x:99: >> $JAIL/etc/group
echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd
echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd
echo http:x:14871:::::: >> $JAIL/etc/shadow
echo nobody:x:14871:::::: >> $JAIL/etc/shadow
echo http::: >> $JAIL/etc/gshadow
echo nobody::: >> $JAIL/etc/gshadow
touch $JAIL/etc/shells
touch $JAIL/run/nginx.pid
chown -R root:root $JAIL/
chown -R http:http $JAIL/{www,run}
chown -R http:http $JAIL/etc/nginx
chown -R http:http $JAIL/var/{log,lib}/nginx
chown http:http $JAIL/run/nginx.pid
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x
find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x
find $JAIL/usr/bin -type f -print | xargs chmod ug+rx
find $JAIL/ -group http -user http -print | xargs chmod o-rwx
chmod +rw $JAIL/tmp
chmod +rw $JAIL/run
setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx
# Modify nginx.service to start chroot
echo Install modified nginx.service script in /etc/systemd/system
pacman -Rsc nginx
#/etc/systemd/system/nginx.service
[Unit]
Description=Nginx (Chroot)
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/srv/http/run/nginx.pid
RootDirectory=/srv/http
User=http
Group=http
ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload
ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop
[Install]
WantedBy=multi-user.target
@adityamukho

This comment has been minimized.

Copy link
Owner

adityamukho commented Nov 8, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment