Skip to content

Instantly share code, notes, and snippets.

@madrzejewski madrzejewski/all the commands used in the article.sh
Last active Nov 1, 2015

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
all the commands used in the article.sh
# All the command used here : http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote
# Centos 7.1, the libs named may changed in the future, so don't just copy/paste and check on your system first
# First example, chroot bash
mkdir chroot_bash
mkdir -p chroot_bash/usr/bin
cp /usr/bin/bash chroot_bash/usr/bin
chroot chroot_bash/ bash
chroot: failed to run command ‘bash’: No such file or directory
ldd /usr/bin/bash
linux-vdso.so.1 => (0x00007fff22d80000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f15009d9000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f15007d5000)
libc.so.6 => /lib64/libc.so.6 (0x00007f1500413000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1500c0d000)
mkdir chroot_bash/lib64
cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 chroot_bash/lib64/
chroot chroot_bash/ bash
bash-4.2# pwd
/
bash-4.2# ls
bash: ls: command not found
# Chroot php-fpm
useradd -md /home/tuto tuto
mkdir /home/tuto/www
wget http://fr.wordpress.org/latest-fr_FR.zip
unzip latest-fr_FR.zip && mv wordpress/* /home/tuto/www
rm -rf wordpress/ latest-fr_FR.zip
chwon -R tuto: ~tuto
mkdir -p /home/tuto/{etc,usr/share,var/lib/php/session,var/log/php-fpm,tmp,lib64,lib,bin,dev}
cp -r /usr/share/zoneinfo /home/tuto/usr/share/
cp -r /etc/ld.so.cache /etc/resolv.conf /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/localtime /home/tuto/etc/
mkdir -p /home/tuto/var/lib/mysql && touch /home/tuto/var/lib/mysql/mysql.sock
chown -R tuto: ~tuto
mount --bind /var/lib/mysql/mysql.sock /home/tuto/var/lib/mysql/mysql.sock
mknod /home/tuto/dev/null c 1 3 -m 666
# Problems with SSL and the DNS resolution
cp -vaR /lib64/libdns-export.so.100.1.1 /lib64/libdns.so.100.1.1 /lib64/libnss_dns-2.17.so .
cd /home/tuto/lib64
ln -s libdns-export.so.100.1.1 libdns-export.so.100
ln -s libdns.so.100.1.1 libdns.so.100
ln -s libnss_dns.so libnss_dns.so.2
ln -s libnss_dns-2.17.so libnss_dns.so
# An quick example on how to use strace
ps -ef |grep php-fpm
strace -p PID_PROCESSUS 2> logs_
# Let's continue with the dns problem
cp -vaR /etc/pki /home/tuto/etc/
cp -vaR /lib64/nss /home/tuto/lib64
# Another strace example to show the ssl problem
strace chroot /home/tuto /bin/curl -v https://google.com 2> logs_3
# SSL solution
cp /lib64/libsoftokn3.so /lib64/libnss3.so /etc/alternatives/libnssckbi.so.x86_64 /lib64/libnss_compat-2.17.so /lib64/libnss_compat.so.2 /lib64/libnss_db-2.17.so /lib64/libnss_db.so.2 libnss_db-2.17.so /lib64/libfreeblpriv3.so /lib64/libnss_dns-2.17.so /lib64/libnss_files-2.17.so /lib64/libnss_hesiod-2.17.so /lib64/libnss_myhostname.so.2 /lib64/libnss_nis-2.17.so /lib64/libnss_nisplus-2.17.so /lib64/libnsspem.so /lib64/libnss_sss.so.2 /lib64/libnsssysinit.so /lib64/libnssutil3.so /home/tuto/lib64
cp /lib64/libsqlite3.so.0 /lib64/libsqlite3.so.0.8.6 tuto/lib64/
Raw
lddCopy.sh
#!/bin/bash
# Be careful, do not use in production
# Just a quick script for messing around with chroot and ldd
usage(){
echo "Usage : $0 cmd_name homedir"
echo "Example : $0 cp /home/alex"
exit 1
}
error(){
test "$1" == "" && (echo "An unknow error occurded" ; exit 1)
echo "$1" ; exit 1
}
# $1 : cmd
findCmdPath(){
oldIFS=$IFS
IFS=$':'
for dir in $PATH ; do
fullPath=$(find $dir -name $1 2> /dev/null)
test "$fullPath" != "" && (echo $fullPath ; return)
done
}
# $1 : fullPath of cmd
# I tried others commands to find the full/real path for a symlink
# for example "readlink" but it was not working properly for my usage
# I just wanted the "first degree" of symlink so ls -l worked fine for this
findLibs(){
ldd $1 |tr -d '\t'| tr -d ' ' |cut -d '>' -f 2|cut -d '(' -f 1|grep -E '^/' 2> /dev/null || error "LDD error"
}
# $1 : lib path (or symlink)
# $2 : homedir without the trailing /
copyLib(){
if test -L $1 ; then
# symlink
currentPath=$(dirname $1)
# copy the symlink
mkdir -p $2$currentPath 2> /dev/null
cp -va $1 $2$currentPath
# find the real file
realFile=$(ls -lh $1 | tr -d ' ' | cut -d '>' -f 2)
realFile=$currentPath'/'$realFile
mkdir -p $2$currentPath 2> /dev/null
cp -va $realFile $2$currentPath
else
# file
currentPath=$(dirname $1)
mkdir -p $2$currentPath 2> /dev/null
cp -va $1 $2$currentPath
fi
}
# Tests
test "$#" != 2 && usage
cmdPath=$(findCmdPath $1)
test "$cmdPath" == "" && error "$1 was not found in the PATH"
homeDir=$(echo $2 | sed 's:/*$::') # remove the trailing /
test ! -d "$homeDir" && error "$homeDir is not a directory"
# main
for lib in $(findLibs $cmdPath) ; do
copyLib $lib $homeDir
done
Raw
tuto.conf
[tuto]
listen = /var/run/tuto.sock
listen.allowed_clients = 127.0.0.1
listen.owner = nginx
listen.group = nginx
user = tuto
group = tuto
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
slowlog = /var/log/php-fpm/tuto-slow.log
chroot = /home/tuto
chdir = /www
env[HOSTNAME] = $HOSTNAME
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_flag[display_errors] = on
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
Raw
vhost.conf
server {
listen 80;
server_name tuto.madrzejewski.com;
root /home/tuto/www;
access_log /var/log/nginx/tuto.madrzejewski.com-access.log;
error_log /var/log/nginx/tuto.madrzejewski.com-error.log;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# auth for admin directory
location /wp-admin/ {
auth_basic "Access restreint";
auth_basic_user_file /etc/nginx/htpasswd/passwd;
}
# no PHP in upload directory
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# hide sensitive files
#location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
#{
# return 444;
#}
# no cgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
# no access to specific files
location ~ /(\.|wp-config.php|readme.html|license.txt) {
deny all;
}
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks doesn't break when using query string
try_files $uri $uri/ /index.php?$args;
}
# no weird request
if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 444;
}
location ~ [^/]\.php(/|$) {
include /etc/nginx/fastcgi.conf;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
#fastcgi_pass 127.0.0.1:9000;
# debug test chroot phpfpm
fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name;
fastcgi_pass unix:/var/run/tuto.sock;
fastcgi_index index.php;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.