Last active
April 29, 2021 03:25
-
-
Save adityamukho/7365731 to your computer and use it in GitHub Desktop.
Revisions
-
adityamukho renamed this gist
Nov 8, 2013 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Nov 8, 2013 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,19 @@ #/etc/systemd/system/nginx.service [Unit] Description=Nginx (Chroot) After=syslog.target network.target [Service] Type=forking PIDFile=/srv/http/run/nginx.pid RootDirectory=/srv/http User=http Group=http ExecStartPre=/usr/bin/nginx -t -c /etc/nginx/nginx.conf ExecStart=/usr/bin/nginx -c /etc/nginx/nginx.conf ExecReload=/usr/bin/nginx -c /etc/nginx/nginx.conf -s reload ExecStop=/usr/bin/nginx -c /etc/nginx/nginx.conf -s stop [Install] WantedBy=multi-user.target This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,79 @@ #!/bin/bash pacman -S nginx export JAIL=/srv/http # Create Necessary Devices mkdir $JAIL/dev mknod -m 0666 $JAIL/dev/null c 1 3 mknod -m 0666 $JAIL/dev/random c 1 8 mknod -m 0444 $JAIL/dev/urandom c 1 9 # Create Necessary Folders mkdir -p $JAIL/etc/nginx/logs mkdir -p $JAIL/usr/{lib,bin} mkdir -p $JAIL/usr/share/nginx mkdir -p $JAIL/var/{log,lib}/nginx mkdir -p $JAIL/www/cgi-bin mkdir -p $JAIL/{run,tmp} cd $JAIL ln -s usr/lib lib ln -s usr/lib lib64 ln -s usr/lib usr/lib64 ln -s usr/bin bin # Mount tmpfs mount -t tmpfs none $JAIL/run -o 'noexec,size=1M' mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M' touch $JAIL/etc/fstab echo 'tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0' >> $JAIL/etc/fstab echo 'tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0' >> $JAIL/etc/fstab # Populate the chroot cp -r /usr/share/nginx/* $JAIL/usr/share/nginx cp -r /usr/share/nginx/html/* $JAIL/www cp /usr/bin/nginx $JAIL/usr/bin/ cp -r /var/lib/nginx $JAIL/var/lib/nginx cp /usr/bin/false $JAIL/bin cp /lib64/ld-linux-x86-64.so.2 $JAIL/lib cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib cp /usr/lib/libnss_* $JAIL/usr/lib cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc touch $JAIL/etc/{group,passwd,shadow,gshadow} echo http:x:33: >> $JAIL/etc/group echo nobody:x:99: >> $JAIL/etc/group echo http:x:33:33:http:/:/bin/false >> $JAIL/etc/passwd echo nobody:x:99:99:nobody:/:/bin/false >> $JAIL/etc/passwd echo http:x:14871:::::: >> $JAIL/etc/shadow echo nobody:x:14871:::::: >> $JAIL/etc/shadow echo http::: >> $JAIL/etc/gshadow echo nobody::: >> $JAIL/etc/gshadow touch $JAIL/etc/shells touch $JAIL/run/nginx.pid chown -R root:root $JAIL/ chown -R http:http $JAIL/{www,run} chown -R http:http $JAIL/etc/nginx chown -R http:http $JAIL/var/{log,lib}/nginx chown http:http $JAIL/run/nginx.pid find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x find $JAIL/usr/bin -type f -print | xargs chmod ug+rx find $JAIL/ -group http -user http -print | xargs chmod o-rwx chmod +rw $JAIL/tmp chmod +rw $JAIL/run setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx # Modify nginx.service to start chroot echo Install modified nginx.service script in /etc/systemd/system pacman -Rsc nginx