Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Setup a CHROOT jail at `/srv/http` for a public Nginx server on Arch Linux.
pacman -S nginx
export JAIL=/srv/http
# Create Necessary Devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9
# Create Necessary Folders
mkdir -p $JAIL/etc/nginx/logs
mkdir -p $JAIL/usr/{lib,bin}
mkdir -p $JAIL/usr/share/nginx
mkdir -p $JAIL/var/{log,lib}/nginx
mkdir -p $JAIL/www/cgi-bin
mkdir -p $JAIL/{run,tmp}
cd $JAIL
ln -s usr/lib lib
ln -s usr/lib lib64
ln -s usr/lib usr/lib64
ln -s usr/bin bin
# Mount tmpfs
mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'
mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'
touch $JAIL/etc/fstab
echo 'tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0' >> $JAIL/etc/fstab
echo 'tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0' >> $JAIL/etc/fstab
# Populate the chroot
cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
cp -r /usr/share/nginx/html/* $JAIL/www
cp /usr/bin/nginx $JAIL/usr/bin/
cp -r /var/lib/nginx $JAIL/var/lib/nginx
cp /usr/bin/false $JAIL/bin
cp /lib64/ $JAIL/lib
cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib
cp /usr/lib/libnss_* $JAIL/usr/lib
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,,,resolv.conf,host.conf,nginx} $JAIL/etc
touch $JAIL/etc/{group,passwd,shadow,gshadow}
echo http:x:33: >> $JAIL/etc/group
echo nobody:x:99: >> $JAIL/etc/group
echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd
echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd
echo http:x:14871:::::: >> $JAIL/etc/shadow
echo nobody:x:14871:::::: >> $JAIL/etc/shadow
echo http::: >> $JAIL/etc/gshadow
echo nobody::: >> $JAIL/etc/gshadow
touch $JAIL/etc/shells
touch $JAIL/run/
chown -R root:root $JAIL/
chown -R http:http $JAIL/{www,run}
chown -R http:http $JAIL/etc/nginx
chown -R http:http $JAIL/var/{log,lib}/nginx
chown http:http $JAIL/run/
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x
find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x
find $JAIL/usr/bin -type f -print | xargs chmod ug+rx
find $JAIL/ -group http -user http -print | xargs chmod o-rwx
chmod +rw $JAIL/tmp
chmod +rw $JAIL/run
setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx
# Modify nginx.service to start chroot
echo Install modified nginx.service script in /etc/systemd/system
pacman -Rsc nginx
Description=Nginx (Chroot)
ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload
ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop

adityamukho commented Nov 8, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment