我想安装 nginx(不是当前稳定版本,而是当前版本),并 chroot 该进程。我遵循了一些教程,包括:安全 Debian 手册附录 H - Apache 的 Chroot 环境,并尝试适应 nginx,但没有成功(为什么 apache 和 apache2 不在他们的示例中?)。所以我做了以下操作:
~# uname -a
Debian i686 GNU/Linux
~# apt-cache policy nginx
nginx:
Candidat : 1.2.1-2.2+wheezy2
JAIL="/var/chroot/chroot_nginx"
OWN_GRP="chroot_nginx"
TTBITS_LIBDIR="i386-linux-gnu"
1-创建所有必要的目录:
~# mkdir -p "$JAIL/etc/nginx"
~# mkdir -p "$JAIL/var/log/nginx"
~# mkdir -p "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# mkdir -p "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# mkdir -p "$JAIL/usr/lib/"
~# mkdir -p "$JAIL/usr/sbin/"
~# mkdir -p "$JAIL/var/run"
~# mkdir -p "$JAIL/proc"
~# mkdir -p "$JAIL/tmp"
2——创建新用户:
adduser --home $JAIL --shell "/bin/false" --no-create-home --system --group $OWN_GRP
3-nginx 使用哪些库?:
ldd /usr/sbin/nginx|grep -o "/\(\usr\|lib\).[^ \ ]*"
4-复制所有现有的库 nginx 当前安装的版本:
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libpthread.so.0" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libcrypt.so.1" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/libpam.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libm.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/liblua5.1.so.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libexpat.so.1" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libpcre.so.3" "$JAIL/lib/$TTBITS_LIBDIR/l"
~# cp "/usr/lib/$TTBITS_LIBDIR/i686/cmov/libssl.so.1.0.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/usr/lib/$TTBITS_LIBDIR/i686/cmov/libcrypto.so.1.0.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libdl.so.2" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/libz.so.1" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxml2.so.2" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxslt.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libexslt.so.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libgd.so.2" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/libGeoIP.so.1" "$JAIL/usr/lib/"
~# cp "/usr/lib/libperl.so.5.14" "$JAIL/usr/lib/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libc.so.6" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/ld-linux.so.2" "$JAIL/lib/"
~# cp "/lib/$TTBITS_LIBDIR/liblzma.so.5" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libgcrypt.so.11" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXpm.so.4" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libX11.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libjpeg.so.8" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libfontconfig.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libfreetype.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libpng12.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libgpg-error.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxcb.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXau.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXdmcp.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
5 – 所需其他文件
~# cp "/etc/mime.types" $JAIL/etc/mime.types
~# cp "/etc/hosts" $JAIL/etc/hosts
~# cp "/usr/sbin/nginx" "$JAIL/usr/sbin/nginx"
~# cp -R /etc/nginx/* "$JAIL/etc/nginx"
6——文件组,传递......
~# grep "$OWN_GRP" "/etc/passwd" > "$JAIL/etc/passwd"
~# grep "$OWN_GRP" "/etc/group" > "$JAIL/etc/group"
~# grep "$OWN_GRP" "/etc/shadow" > "$JAIL/etc/shadow"
~# grep "$OWN_GRP" "/etc/gshadow" > "$JAIL/etc/gshadow"
7-配置文件nginx服务挂载/卸载新的文件系统
~# cp /etc/systemd/system/nginx.service /etc/systemd/system/nginx.service.original
~# cat << EOF > /etc/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/chroot/nginx/var/run/nginx.pid
ExecStartPre=/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=mount -t tmpfs none $JAIL/run -o 'noexec,size=1M';mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M';/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=umount $JAIL/run ;umount $JAIL/tmp ;mount -t tmpfs none $JAIL/run -o 'noexec,size=1M';mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M';/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=umount $JAIL/run ;umount $JAIL/tmp ;/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit
[Install]
WantedBy=multi-user.target
EOF
8-我的 /etc/init.d/nginx
~# cat << EOF > /etc/init.d/nginx
#!/bin/sh
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO
CHRDIR=/var/chroot/chroot_nginx
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=chroot_nginx
DESC=chroot_nginx
# Include nginx defaults if available
if [ -f /etc/default/nginx ]; then
. /etc/default/nginx
fi
test -x $DAEMON || exit 0
set -e
. /lib/lsb/init-functions
test_nginx_config() {
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
return 0
else
$DAEMON -t $DAEMON_OPTS
return $?
fi
}
case "$1" in
start)
echo -n "Starting $DESC: "
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
#start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
mount -t tmpfs none $CHRDIR/proc -o 'noexec,size=1M'
mount -t tmpfs none $CHRDIR/tmp -o 'noexec,size=100M'
start-stop-daemon --start --quiet --pidfile "$CHRDIR/$PIDFILE" --exec $DAEMON --chroot $CHRDIR -- $DAEMON_OPTS || true
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
#start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON || true
start-stop-daemon --stop --quiet --pidfile "$CHRDIR/$PIDFILE" --exec $DAEMON --chroot $CHRDIR -- $DAEMON_OPTS || true
umount $CHRDIR/proc
umount $CHRDIR/tmp
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
umount $CHRDIR/proc
umount $CHRDIR/tmp
mount -t tmpfs none $CHRDIR/proc -o 'noexec,size=1M'
mount -t tmpfs none $CHRDIR/tmp -o 'noexec,size=100M'
start-stop-daemon --stop --quiet --pidfile "$CHRDIR/$PIDFILE" --chroot $CHRDIR --exec $DAEMON || true
sleep 1
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;
reload)
echo -n "Reloading $DESC configuration: "
test_nginx_config
#start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON || true
echo -n "Reloading: $NAME"
start-stop-daemon --stop --signal HUP --quiet --pidfile "$CHRDIR/$PIDFILE" --name $NAME || true
echo "$NAME."
;;
configtest|testconfig)
echo -n "Testing $DESC configuration: "
if test_nginx_config; then
echo "$NAME."
else
exit $?
fi
;;
status)
status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
;;
*)
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
exit 1
;;
esac
exit 0
EOF
9- 快速配置nginx
sed -i "s/user .*;/user $OWN_GRP;/g" "$JAIL/etc/nginx/nginx.conf"
10-允许 nginx 绑定套接字
~# setcap 'cap_net_bind_service=+ep' $JAIL/usr/sbin/nginx
11-启动 nginx 服务
~# service nginx start
******OUTPUT !!! :
Starting chroot_nginx: nginx: [emerg] getpwnam("chroot_nginx") failed (2: No such file or directory) in /etc/nginx/nginx.conf:1
chroot_nginx.
12- 其他检查
~# cat /etc/passwd|grep "chroot_nginx"
chroot_nginx:x:136:143::/var/chroot/chroot_nginx:/bin/false
~# ls -las /var/chroot/chroot_nginx/
total 24K
drwxr-xr-x 8 root root 4,0K févr. 19 19:15 .
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 ..
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 etc
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 lib
drwxrwxrwt 2 root root 40 févr. 19 19:19 proc
drwxrwxrwt 2 root root 40 févr. 19 19:19 tmp
drwxr-xr-x 4 root root 4,0K févr. 19 19:15 usr
drwxr-xr-x 4 root root 4,0K févr. 19 19:15 var
首先,基本配置文件名为 /etc/nginx/nginx.conf,而不是 /var/chroot/chroot_nginx/etc/nginx/nginx.conf,这正常吗?其次,未找到我的用户...
我哪里错了?
我也在 stackoverflow 上看到其他帖子,一个 chrooted 进程,但 /usr/sbin 中的安全属性会丢失吗?我的问题是为什么?此文件夹中的所有程序是否都设置了显然未激活的位?如果这是 casMes 知识我还没有理解,感谢您指导我。
我也对在命令 ExecStartPre 服务 nginx 文件和指示的路径上挂载文件系统有疑问...如果您有一个想法只是为了指导我或者发现一个错误,一个缺失的步骤或者有一个好的教程建议我......
我独自学习善良:)非常感谢您抽出时间。