[PATCH] Add chroot option and functionality

opal hart wowaname at volatile.ch
Thu Feb 16 20:12:40 UTC 2017


Hi,

This patch adds a chroot feature to nginx, which lighttpd and Apache
have had for a while, and which would be useful to allow for the nginx
binary and config files to live outside the jail directory.

# HG changeset patch
# User opal hart <wowaname at volatile.ch>
# Date 1487274704 0
#      Thu Feb 16 19:51:44 2017 +0000
# Node ID 58e50038746aecdad10518afeccbfee66f91ac22
# Parent  05fd0dc8f0dc808219f727dd18a5da2f078c4073
Add 'chroot' config option and functionality

diff -r 05fd0dc8f0dc -r 58e50038746a src/core/nginx.c
--- a/src/core/nginx.c  Thu Feb 16 18:37:22 2017 +0300
+++ b/src/core/nginx.c  Thu Feb 16 19:51:44 2017 +0000
@@ -89,6 +89,13 @@
       offsetof(ngx_core_conf_t, debug_points),
       &ngx_debug_points },

+    { ngx_string("chroot"),
+      NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      0,
+      offsetof(ngx_core_conf_t, chroot),
+      NULL },
+
     { ngx_string("user"),
       NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE12,
       ngx_set_user,
@@ -1009,6 +1016,7 @@
      *     ccf->cpu_affinity_auto = 0;
      *     ccf->cpu_affinity_n = 0;
      *     ccf->cpu_affinity = NULL;
+     *     ccf->chroot = NULL;
      */

     ccf->daemon = NGX_CONF_UNSET;
diff -r 05fd0dc8f0dc -r 58e50038746a src/core/ngx_cycle.h
--- a/src/core/ngx_cycle.h      Thu Feb 16 18:37:22 2017 +0300
+++ b/src/core/ngx_cycle.h      Thu Feb 16 19:51:44 2017 +0000
@@ -101,6 +101,7 @@
     ngx_uint_t                cpu_affinity_n;
     ngx_cpuset_t             *cpu_affinity;

+    ngx_str_t                 chroot;
     char                     *username;
     ngx_uid_t                 user;
     ngx_gid_t                 group;
diff -r 05fd0dc8f0dc -r 58e50038746a src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c   Thu Feb 16 18:37:22 2017 +0300
+++ b/src/os/unix/ngx_process_cycle.c   Thu Feb 16 19:51:44 2017 +0000
@@ -829,6 +829,20 @@
     }

     if (geteuid() == 0) {
+        if (ccf->chroot.len) {
+            if (chdir((char *) ccf->chroot.data) == -1) {
+                ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                              "chdir(%s) failed", ccf->chroot);
+                /* fatal */
+                exit(2);
+            }
+            if (chroot((char *) ccf->chroot.data) == -1) {
+                ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                              "chroot(%s) failed", (char *)
ccf->chroot.data);
+                /* fatal */
+                exit(2);
+            }
+        }
         if (setgid(ccf->group) == -1) {
             ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
                           "setgid(%d) failed", ccf->group);

-- 
wowaname
http://wowana.me/pgp.htm


More information about the nginx-devel mailing list