adityamukho/nginx-jail.sh

## nginx-jail.sh
#!/bin/bash

pacman -S nginx
export JAIL=/srv/http

# Create Necessary Devices
mkdir $JAIL/dev
mknod -m 0666 $JAIL/dev/null c 1 3
mknod -m 0666 $JAIL/dev/random c 1 8
mknod -m 0444 $JAIL/dev/urandom c 1 9

# Create Necessary Folders
mkdir -p $JAIL/etc/nginx/logs
mkdir -p $JAIL/usr/{lib,bin}
mkdir -p $JAIL/usr/share/nginx
mkdir -p $JAIL/var/{log,lib}/nginx
mkdir -p $JAIL/www/cgi-bin
mkdir -p $JAIL/{run,tmp}

cd $JAIL
ln -s usr/lib lib
ln -s usr/lib lib64
ln -s usr/lib usr/lib64
ln -s usr/bin bin

# Mount tmpfs
mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'
mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'

touch $JAIL/etc/fstab
echo 'tmpfs   /srv/http/run   tmpfs   rw,noexec,relatime,size=1024k   0       0' >> $JAIL/etc/fstab
echo 'tmpfs   /srv/http/tmp   tmpfs   rw,noexec,relatime,size=102400k 0       0' >> $JAIL/etc/fstab

# Populate the chroot
cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
cp -r /usr/share/nginx/html/* $JAIL/www
cp /usr/bin/nginx $JAIL/usr/bin/
cp -r /var/lib/nginx $JAIL/var/lib/nginx
cp /usr/bin/false $JAIL/bin

cp /lib64/ld-linux-x86-64.so.2 $JAIL/lib
cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib
cp /usr/lib/libnss_* $JAIL/usr/lib
cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc

touch $JAIL/etc/{group,passwd,shadow,gshadow}
echo http:x:33: >> $JAIL/etc/group
echo nobody:x:99: >> $JAIL/etc/group
echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd
echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd
echo http:x:14871:::::: >> $JAIL/etc/shadow
echo nobody:x:14871:::::: >> $JAIL/etc/shadow
echo http::: >> $JAIL/etc/gshadow
echo nobody::: >> $JAIL/etc/gshadow

touch $JAIL/etc/shells
touch $JAIL/run/nginx.pid

chown -R root:root $JAIL/

chown -R http:http $JAIL/{www,run}
chown -R http:http $JAIL/etc/nginx
chown -R http:http $JAIL/var/{log,lib}/nginx
chown http:http $JAIL/run/nginx.pid

find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw
find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x
find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x
find $JAIL/usr/bin -type f -print | xargs chmod ug+rx
find $JAIL/ -group http -user http -print | xargs chmod o-rwx
chmod +rw $JAIL/tmp
chmod +rw $JAIL/run

setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx

# Modify nginx.service to start chroot
echo Install modified nginx.service script in /etc/systemd/system

pacman -Rsc nginx

## nginx.service
#/etc/systemd/system/nginx.service

[Unit]
Description=Nginx (Chroot)
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/srv/http/run/nginx.pid
RootDirectory=/srv/http
User=http
Group=http
ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf
ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload
ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop

[Install]
WantedBy=multi-user.target
	#!/bin/bash

	pacman -S nginx
	export JAIL=/srv/http

	# Create Necessary Devices
	mkdir $JAIL/dev
	mknod -m 0666 $JAIL/dev/null c 1 3
	mknod -m 0666 $JAIL/dev/random c 1 8
	mknod -m 0444 $JAIL/dev/urandom c 1 9

	# Create Necessary Folders
	mkdir -p $JAIL/etc/nginx/logs
	mkdir -p $JAIL/usr/{lib,bin}
	mkdir -p $JAIL/usr/share/nginx
	mkdir -p $JAIL/var/{log,lib}/nginx
	mkdir -p $JAIL/www/cgi-bin
	mkdir -p $JAIL/{run,tmp}

	cd $JAIL
	ln -s usr/lib lib
	ln -s usr/lib lib64
	ln -s usr/lib usr/lib64
	ln -s usr/bin bin

	# Mount tmpfs
	mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'
	mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'

	touch $JAIL/etc/fstab
	echo 'tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0' >> $JAIL/etc/fstab
	echo 'tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0' >> $JAIL/etc/fstab

	# Populate the chroot
	cp -r /usr/share/nginx/* $JAIL/usr/share/nginx
	cp -r /usr/share/nginx/html/* $JAIL/www
	cp /usr/bin/nginx $JAIL/usr/bin/
	cp -r /var/lib/nginx $JAIL/var/lib/nginx
	cp /usr/bin/false $JAIL/bin

	cp /lib64/ld-linux-x86-64.so.2 $JAIL/lib
	cp $(ldd /usr/bin/nginx \| grep /usr/lib \| sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib
	cp /usr/lib/libnss_* $JAIL/usr/lib
	cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc

	touch $JAIL/etc/{group,passwd,shadow,gshadow}
	echo http:x:33: >> $JAIL/etc/group
	echo nobody:x:99: >> $JAIL/etc/group
	echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd
	echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd
	echo http:x:14871:::::: >> $JAIL/etc/shadow
	echo nobody:x:14871:::::: >> $JAIL/etc/shadow
	echo http::: >> $JAIL/etc/gshadow
	echo nobody::: >> $JAIL/etc/gshadow

	touch $JAIL/etc/shells
	touch $JAIL/run/nginx.pid

	chown -R root:root $JAIL/

	chown -R http:http $JAIL/{www,run}
	chown -R http:http $JAIL/etc/nginx
	chown -R http:http $JAIL/var/{log,lib}/nginx
	chown http:http $JAIL/run/nginx.pid

	find $JAIL/ -gid 0 -uid 0 -type d -print \| xargs chmod -rw
	find $JAIL/ -gid 0 -uid 0 -type d -print \| xargs chmod +x
	find $JAIL/etc -gid 0 -uid 0 -type f -print \| xargs chmod -x
	find $JAIL/usr/bin -type f -print \| xargs chmod ug+rx
	find $JAIL/ -group http -user http -print \| xargs chmod o-rwx
	chmod +rw $JAIL/tmp
	chmod +rw $JAIL/run

	setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx

	# Modify nginx.service to start chroot
	echo Install modified nginx.service script in /etc/systemd/system

	pacman -Rsc nginx
	#/etc/systemd/system/nginx.service

	[Unit]
	Description=Nginx (Chroot)
	After=syslog.target network.target

	[Service]
	Type=forking
	PIDFile=/srv/http/run/nginx.pid
	RootDirectory=/srv/http
	User=http
	Group=http
	ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf
	ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf
	ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload
	ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop

	[Install]
	WantedBy=multi-user.target