public
Last active

Setup a CHROOT jail at `/srv/http` for a public Nginx server on Arch Linux.

  • Download Gist
nginx-jail.sh
Shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
#!/bin/bash
 
pacman -S nginx
export JAIL=/srv/http
 
# Create Necessary Devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9
 
# Create Necessary Folders
mkdir -p $JAIL/etc/nginx/logs
mkdir -p $JAIL/usr/{lib,bin}
mkdir -p $JAIL/usr/share/nginx
mkdir -p $JAIL/var/{log,lib}/nginx
mkdir -p $JAIL/www/cgi-bin
mkdir -p $JAIL/{run,tmp}
 
cd $JAIL
ln -s usr/lib lib
ln -s usr/lib lib64
ln -s usr/lib usr/lib64
ln -s usr/bin bin
 
# Mount tmpfs
mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'
mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'
 
touch $JAIL/etc/fstab
echo 'tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0' >> $JAIL/etc/fstab
echo 'tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0' >> $JAIL/etc/fstab
 
# Populate the chroot
cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
cp -r /usr/share/nginx/html/* $JAIL/www
cp /usr/bin/nginx $JAIL/usr/bin/
cp -r /var/lib/nginx $JAIL/var/lib/nginx
cp /usr/bin/false $JAIL/bin
 
cp /lib64/ld-linux-x86-64.so.2 $JAIL/lib
cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib
cp /usr/lib/libnss_* $JAIL/usr/lib
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc
 
touch $JAIL/etc/{group,passwd,shadow,gshadow}
echo http:x:33: >> $JAIL/etc/group
echo nobody:x:99: >> $JAIL/etc/group
echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd
echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd
echo http:x:14871:::::: >> $JAIL/etc/shadow
echo nobody:x:14871:::::: >> $JAIL/etc/shadow
echo http::: >> $JAIL/etc/gshadow
echo nobody::: >> $JAIL/etc/gshadow
 
touch $JAIL/etc/shells
touch $JAIL/run/nginx.pid
 
chown -R root:root $JAIL/
chown -R http:http $JAIL/{www,run}
chown -R http:http $JAIL/etc/nginx
chown -R http:http $JAIL/var/{log,lib}/nginx
chown http:http $JAIL/run/nginx.pid
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x
find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x
find $JAIL/usr/bin -type f -print | xargs chmod ug+rx
find $JAIL/ -group http -user http -print | xargs chmod o-rwx
chmod +rw $JAIL/tmp
chmod +rw $JAIL/run
 
setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx
 
# Modify nginx.service to start chroot
echo Install modified nginx.service script in /etc/systemd/system
 
pacman -Rsc nginx
nginx.service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
#/etc/systemd/system/nginx.service
 
[Unit]
Description=Nginx (Chroot)
After=syslog.target network.target
 
[Service]
Type=forking
PIDFile=/srv/http/run/nginx.pid
RootDirectory=/srv/http
User=http
Group=http
ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload
ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop
 
[Install]
WantedBy=multi-user.target

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.