Chroot 主进程 Nginx 1.2.1

tag-icon tag-icon linux nginx security debian chroot
Chroot 主进程 Nginx 1.2.1

我想安装 nginx(不是当前稳定版本,而是当前版本),并 chroot 该进程。我遵循了一些教程,包括:安全 Debian 手册附录 H - Apache 的 Chroot 环境,并尝试适应 nginx,但没有成功(为什么 apache 和 apache2 不在他们的示例中?)。所以我做了以下操作:

~# uname -a 
Debian i686 GNU/Linux

~# apt-cache policy nginx
   nginx:
   Candidat : 1.2.1-2.2+wheezy2


JAIL="/var/chroot/chroot_nginx"
OWN_GRP="chroot_nginx"
TTBITS_LIBDIR="i386-linux-gnu"

1-创建所有必要的目录:

~# mkdir -p "$JAIL/etc/nginx"
~# mkdir -p "$JAIL/var/log/nginx"
~# mkdir -p "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# mkdir -p "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# mkdir -p "$JAIL/usr/lib/"
~# mkdir -p "$JAIL/usr/sbin/"
~# mkdir -p "$JAIL/var/run"
~# mkdir -p "$JAIL/proc"
~# mkdir -p "$JAIL/tmp"

2——创建新用户:

adduser --home $JAIL --shell "/bin/false" --no-create-home --system --group $OWN_GRP

3-nginx 使用哪些库?:

ldd /usr/sbin/nginx|grep -o "/\(\usr\|lib\).[^ \ ]*"

4-复制所有现有的库 nginx 当前安装的版本:

~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libpthread.so.0" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libcrypt.so.1" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/libpam.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libm.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/liblua5.1.so.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libexpat.so.1" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libpcre.so.3" "$JAIL/lib/$TTBITS_LIBDIR/l"
~# cp "/usr/lib/$TTBITS_LIBDIR/i686/cmov/libssl.so.1.0.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/usr/lib/$TTBITS_LIBDIR/i686/cmov/libcrypto.so.1.0.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libdl.so.2" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/libz.so.1" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxml2.so.2" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxslt.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libexslt.so.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libgd.so.2" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/libGeoIP.so.1" "$JAIL/usr/lib/"
~# cp "/usr/lib/libperl.so.5.14" "$JAIL/usr/lib/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libc.so.6" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/ld-linux.so.2" "$JAIL/lib/"
~# cp "/lib/$TTBITS_LIBDIR/liblzma.so.5" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libgcrypt.so.11" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXpm.so.4" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libX11.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libjpeg.so.8" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libfontconfig.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libfreetype.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libpng12.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libgpg-error.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxcb.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXau.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXdmcp.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"

5 – 所需其他文件

~# cp "/etc/mime.types" $JAIL/etc/mime.types
~# cp "/etc/hosts" $JAIL/etc/hosts
~# cp "/usr/sbin/nginx" "$JAIL/usr/sbin/nginx"
~# cp -R /etc/nginx/* "$JAIL/etc/nginx"

6——文件组,传递......

~# grep "$OWN_GRP" "/etc/passwd" > "$JAIL/etc/passwd"
~# grep "$OWN_GRP" "/etc/group" > "$JAIL/etc/group"
~# grep "$OWN_GRP" "/etc/shadow" > "$JAIL/etc/shadow"
~# grep "$OWN_GRP" "/etc/gshadow" > "$JAIL/etc/gshadow"

7-配置文件nginx服务挂载/卸载新的文件系统

~# cp /etc/systemd/system/nginx.service /etc/systemd/system/nginx.service.original
~# cat << EOF > /etc/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/chroot/nginx/var/run/nginx.pid
ExecStartPre=/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=mount -t tmpfs none $JAIL/run -o 'noexec,size=1M';mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M';/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=umount $JAIL/run ;umount $JAIL/tmp ;mount -t tmpfs none $JAIL/run -o 'noexec,size=1M';mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M';/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=umount $JAIL/run ;umount $JAIL/tmp ;/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit

[Install]
WantedBy=multi-user.target
EOF

8-我的 /etc/init.d/nginx

~# cat << EOF > /etc/init.d/nginx
#!/bin/sh

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

CHRDIR=/var/chroot/chroot_nginx

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=chroot_nginx
DESC=chroot_nginx

# Include nginx defaults if available
if [ -f /etc/default/nginx ]; then
. /etc/default/nginx
fi

test -x $DAEMON || exit 0

set -e

. /lib/lsb/init-functions

test_nginx_config() {
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
    return 0
else
    $DAEMON -t $DAEMON_OPTS
    return $?
fi
}

case "$1" in
start)
    echo -n "Starting $DESC: "
    test_nginx_config
    # Check if the ULIMIT is set in /etc/default/nginx
    if [ -n "$ULIMIT" ]; then
        # Set the ulimits
        ulimit $ULIMIT
    fi
    #start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
    mount -t tmpfs none $CHRDIR/proc -o 'noexec,size=1M'
    mount -t tmpfs none $CHRDIR/tmp -o 'noexec,size=100M'
    start-stop-daemon --start --quiet --pidfile "$CHRDIR/$PIDFILE" --exec $DAEMON --chroot $CHRDIR -- $DAEMON_OPTS || true
    echo "$NAME."
    ;;

stop)
    echo -n "Stopping $DESC: "
    #start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON || true
    start-stop-daemon --stop --quiet --pidfile "$CHRDIR/$PIDFILE"  --exec $DAEMON --chroot $CHRDIR -- $DAEMON_OPTS || true 
    umount $CHRDIR/proc
    umount $CHRDIR/tmp
    echo "$NAME."
    ;;

restart|force-reload)
    echo -n "Restarting $DESC: "
    umount $CHRDIR/proc
    umount $CHRDIR/tmp
    mount -t tmpfs none $CHRDIR/proc -o 'noexec,size=1M'
    mount -t tmpfs none $CHRDIR/tmp -o 'noexec,size=100M'

    start-stop-daemon --stop --quiet --pidfile "$CHRDIR/$PIDFILE" --chroot $CHRDIR --exec $DAEMON || true

    sleep 1
    test_nginx_config
    # Check if the ULIMIT is set in /etc/default/nginx
    if [ -n "$ULIMIT" ]; then
        # Set the ulimits
        ulimit $ULIMIT
    fi
    start-stop-daemon --start --quiet --pidfile \
        /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
    echo "$NAME."
    ;;

reload)
    echo -n "Reloading $DESC configuration: "
    test_nginx_config
    #start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON || true
    echo -n "Reloading: $NAME" 
     start-stop-daemon --stop --signal HUP --quiet --pidfile "$CHRDIR/$PIDFILE" --name $NAME || true
    echo "$NAME."
    ;;

configtest|testconfig)
    echo -n "Testing $DESC configuration: "
    if test_nginx_config; then
        echo "$NAME."
    else
        exit $?
    fi
    ;;

status)
    status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
    ;;
*)
    echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
    exit 1
    ;;
esac

exit 0
EOF

9- 快速配置nginx

sed -i "s/user .*;/user $OWN_GRP;/g" "$JAIL/etc/nginx/nginx.conf"

10-允许 nginx 绑定套接字

~# setcap 'cap_net_bind_service=+ep' $JAIL/usr/sbin/nginx

11-启动 nginx 服务

~# service nginx start
******OUTPUT !!! :
Starting chroot_nginx: nginx: [emerg] getpwnam("chroot_nginx") failed (2: No such file or directory) in /etc/nginx/nginx.conf:1
chroot_nginx.

12- 其他检查

~# cat /etc/passwd|grep "chroot_nginx"
chroot_nginx:x:136:143::/var/chroot/chroot_nginx:/bin/false
~# ls -las /var/chroot/chroot_nginx/
total 24K
drwxr-xr-x 8 root root 4,0K févr. 19 19:15 .
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 ..
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 etc
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 lib
drwxrwxrwt 2 root root   40 févr. 19 19:19 proc
drwxrwxrwt 2 root root   40 févr. 19 19:19 tmp
drwxr-xr-x 4 root root 4,0K févr. 19 19:15 usr
drwxr-xr-x 4 root root 4,0K févr. 19 19:15 var

首先,基本配置文件名为 /etc/nginx/nginx.conf,而不是 /var/chroot/chroot_nginx/etc/nginx/nginx.conf,这正常吗?其次,未找到我的用户...

我哪里错了?

我也在 stackoverflow 上看到其他帖子,一个 chrooted 进程,但 /usr/sbin 中的安全属性会丢失吗?我的问题是为什么?此文件夹中的所有程序是否都设置了显然未激活的位?如果这是 casMes 知识我还没有理解,感谢您指导我。

我也对在命令 ExecStartPre 服务 nginx 文件和指示的路径上挂载文件系统有疑问...如果您有一个想法只是为了指导我或者发现一个错误,一个缺失的步骤或者有一个好的教程建议我......

我独自学习善良:)非常感谢您抽出时间。

相关内容