[PATCH] Add chroot option and functionality

Maxim Dounin mdounin at mdounin.ru
Fri Feb 17 13:46:14 UTC 2017


Hello!

On Thu, Feb 16, 2017 at 08:12:40PM +0000, opal hart wrote:

> This patch adds a chroot feature to nginx, which lighttpd and Apache
> have had for a while, and which would be useful to allow for the nginx
> binary and config files to live outside the jail directory.
> 
> # HG changeset patch
> # User opal hart <wowaname at volatile.ch>
> # Date 1487274704 0
> #      Thu Feb 16 19:51:44 2017 +0000
> # Node ID 58e50038746aecdad10518afeccbfee66f91ac22
> # Parent  05fd0dc8f0dc808219f727dd18a5da2f078c4073
> Add 'chroot' config option and functionality

[...]

> diff -r 05fd0dc8f0dc -r 58e50038746a src/os/unix/ngx_process_cycle.c
> --- a/src/os/unix/ngx_process_cycle.c   Thu Feb 16 18:37:22 2017 +0300
> +++ b/src/os/unix/ngx_process_cycle.c   Thu Feb 16 19:51:44 2017 +0000
> @@ -829,6 +829,20 @@
>      }
> 
>      if (geteuid() == 0) {
> +        if (ccf->chroot.len) {
> +            if (chdir((char *) ccf->chroot.data) == -1) {
> +                ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
> +                              "chdir(%s) failed", ccf->chroot);
> +                /* fatal */
> +                exit(2);
> +            }
> +            if (chroot((char *) ccf->chroot.data) == -1) {

Thank you for your patch.

Unfortunately, there is a huge usability problem with such 
apporach: it introduces different meaning for paths in master and 
worker processes.  Meanwhile, many paths are used in both master 
and workers, some paths are used only in master, and some - only 
in workers.  And currently there is no way for a user to find out 
where paths are going to be used - without digging into the source 
code.  This all leads to unavoidable confusion of users and very 
bad user experience.

Earlier attempts to introduce such an option also tried to 
seamlessly convert paths if it is possible, this may be slightly 
better approach.

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list