[PATCH] Add chroot option and functionality
opal hart
wowaname at volatile.ch
Thu Feb 16 20:12:40 UTC 2017
Hi,
This patch adds a chroot feature to nginx, which lighttpd and Apache
have had for a while, and which would be useful to allow for the nginx
binary and config files to live outside the jail directory.
# HG changeset patch
# User opal hart <wowaname at volatile.ch>
# Date 1487274704 0
# Thu Feb 16 19:51:44 2017 +0000
# Node ID 58e50038746aecdad10518afeccbfee66f91ac22
# Parent 05fd0dc8f0dc808219f727dd18a5da2f078c4073
Add 'chroot' config option and functionality
diff -r 05fd0dc8f0dc -r 58e50038746a src/core/nginx.c
--- a/src/core/nginx.c Thu Feb 16 18:37:22 2017 +0300
+++ b/src/core/nginx.c Thu Feb 16 19:51:44 2017 +0000
@@ -89,6 +89,13 @@
offsetof(ngx_core_conf_t, debug_points),
&ngx_debug_points },
+ { ngx_string("chroot"),
+ NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ 0,
+ offsetof(ngx_core_conf_t, chroot),
+ NULL },
+
{ ngx_string("user"),
NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE12,
ngx_set_user,
@@ -1009,6 +1016,7 @@
* ccf->cpu_affinity_auto = 0;
* ccf->cpu_affinity_n = 0;
* ccf->cpu_affinity = NULL;
+ * ccf->chroot = NULL;
*/
ccf->daemon = NGX_CONF_UNSET;
diff -r 05fd0dc8f0dc -r 58e50038746a src/core/ngx_cycle.h
--- a/src/core/ngx_cycle.h Thu Feb 16 18:37:22 2017 +0300
+++ b/src/core/ngx_cycle.h Thu Feb 16 19:51:44 2017 +0000
@@ -101,6 +101,7 @@
ngx_uint_t cpu_affinity_n;
ngx_cpuset_t *cpu_affinity;
+ ngx_str_t chroot;
char *username;
ngx_uid_t user;
ngx_gid_t group;
diff -r 05fd0dc8f0dc -r 58e50038746a src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c Thu Feb 16 18:37:22 2017 +0300
+++ b/src/os/unix/ngx_process_cycle.c Thu Feb 16 19:51:44 2017 +0000
@@ -829,6 +829,20 @@
}
if (geteuid() == 0) {
+ if (ccf->chroot.len) {
+ if (chdir((char *) ccf->chroot.data) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chdir(%s) failed", ccf->chroot);
+ /* fatal */
+ exit(2);
+ }
+ if (chroot((char *) ccf->chroot.data) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chroot(%s) failed", (char *)
ccf->chroot.data);
+ /* fatal */
+ exit(2);
+ }
+ }
if (setgid(ccf->group) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
"setgid(%d) failed", ccf->group);
--
wowaname
http://wowana.me/pgp.htm
More information about the nginx-devel
mailing list