Welcome! Log In Create A New Profile

Advanced

[PATCH] Add chroot option and functionality

Previous Message Next Message
Forum List Message List New Topic Print View
opal hart
February 16, 2017 03:14PM
Hi,

This patch adds a chroot feature to nginx, which lighttpd and Apache
have had for a while, and which would be useful to allow for the nginx
binary and config files to live outside the jail directory.

# HG changeset patch
# User opal hart <wowaname@volatile.ch>
# Date 1487274704 0
# Thu Feb 16 19:51:44 2017 +0000
# Node ID 58e50038746aecdad10518afeccbfee66f91ac22
# Parent 05fd0dc8f0dc808219f727dd18a5da2f078c4073
Add 'chroot' config option and functionality

diff -r 05fd0dc8f0dc -r 58e50038746a src/core/nginx.c
--- a/src/core/nginx.c Thu Feb 16 18:37:22 2017 +0300
+++ b/src/core/nginx.c Thu Feb 16 19:51:44 2017 +0000
@@ -89,6 +89,13 @@
offsetof(ngx_core_conf_t, debug_points),
&ngx_debug_points },

+ { ngx_string("chroot"),
+ NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ 0,
+ offsetof(ngx_core_conf_t, chroot),
+ NULL },
+
{ ngx_string("user"),
NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE12,
ngx_set_user,
@@ -1009,6 +1016,7 @@
* ccf->cpu_affinity_auto = 0;
* ccf->cpu_affinity_n = 0;
* ccf->cpu_affinity = NULL;
+ * ccf->chroot = NULL;
*/

ccf->daemon = NGX_CONF_UNSET;
diff -r 05fd0dc8f0dc -r 58e50038746a src/core/ngx_cycle.h
--- a/src/core/ngx_cycle.h Thu Feb 16 18:37:22 2017 +0300
+++ b/src/core/ngx_cycle.h Thu Feb 16 19:51:44 2017 +0000
@@ -101,6 +101,7 @@
ngx_uint_t cpu_affinity_n;
ngx_cpuset_t *cpu_affinity;

+ ngx_str_t chroot;
char *username;
ngx_uid_t user;
ngx_gid_t group;
diff -r 05fd0dc8f0dc -r 58e50038746a src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c Thu Feb 16 18:37:22 2017 +0300
+++ b/src/os/unix/ngx_process_cycle.c Thu Feb 16 19:51:44 2017 +0000
@@ -829,6 +829,20 @@
}

if (geteuid() == 0) {
+ if (ccf->chroot.len) {
+ if (chdir((char *) ccf->chroot.data) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chdir(%s) failed", ccf->chroot);
+ /* fatal */
+ exit(2);
+ }
+ if (chroot((char *) ccf->chroot.data) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chroot(%s) failed", (char *)
ccf->chroot.data);
+ /* fatal */
+ exit(2);
+ }
+ }
if (setgid(ccf->group) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
"setgid(%d) failed", ccf->group);

--
wowaname
http://wowana.me/pgp.htm
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] Add chroot option and functionality

opal hart 502 February 16, 2017 03:14PM

Re: [PATCH] Add chroot option and functionality

Maxim Dounin 174 February 17, 2017 08:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 292
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready