how to chroot nginx

Mansoor Peerbhoy mansoor at zimbra.com
Mon Sep 1 13:14:53 MSD 2008


The process model of NGINX would make it almost impossible for NGINX worker process itself to chroot. 

The reason for this is that an NGINX worker process uses a set of asynchronous handlers to convey the impression of simultaneous request processing. 
When a process calls a chroot(), it is impossible to get back out of the new root, unless a directory outside the root was opened (opendir/dirfd) before the chroot. 
Since worker process in NGINX doesn't exit() on its own, chroot()ing it would not be a good idea. 

Given the NGINX architecture, it is all but impossible to implement chroot, say, based on a virtual host, etc. 

Executing other programs, on the other hand, is a different topic. 
For instance, apache uses the suexec wrapper to spawn CGI scripts. if NGINX gets support for CGI in the future, then the wrapper could conceivably support chroot(), because a CGI program runs in its own process. 

Running NGINX in private root itself, that's a separate matter, and that should be doable as long as all the libraries that NGINX links to, are present under the new root. 


----- Original Message ----- 
From: "Almir Karic" <almir at kiberpipa.org> 
To: nginx at sysoev.ru 
Sent: Monday, September 1, 2008 2:30:12 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi 
Subject: Re: how to chroot nginx 

On Mon, Sep 01, 2008 at 10:22:06AM +0200, Robert Gabriel wrote: 
> Is it possible to chroot nginx also fastcgi? if yes, how? 

AFAIK nginx itself doesn't have chroot feature. 

as for FCGI, well, depends on the way you are spawning FCGI processes, 
lighttpd's spawn-fcgi for example has -c which allows it to be chrooted. 

-- 
vi vi vi -- the number fo the beast 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20080901/b69bfa1f/attachment.html>


More information about the nginx mailing list