Hacker News new | past | comments | ask | show | jobs | submit login

> You can't use traditional chroot kind of setup with nginx.

I'm curious why this is the case. If even a beast like apache can be run from a chroot jail, shouldn't it be easier to do it with something lightweight like nginx?




    $ ldd `which nginx`
    /usr/local/sbin/nginx:
        Start            End              Type Open Ref GrpRef Name
        0000000000400000 000000000089c000 exe  1    0   0      /usr/local/sbin/nginx
        0000000206c17000 0000000207042000 rlib 0    1   0      /usr/local/lib/libpcre.so.2.3
        00000002082fd000 000000020874b000 rlib 0    1   0      /usr/lib/libssl.so.15.1
        000000020874b000 0000000208cd7000 rlib 0    1   0      /usr/lib/libcrypto.so.18.0
        0000000204a0e000 0000000204e22000 rlib 0    1   0      /usr/lib/libz.so.4.1
        00000002017b8000 0000000201c99000 rlib 0    1   0      /usr/lib/libc.so.53.1
        0000000204600000 0000000204600000 rtld 0    1   0      /usr/libexec/ld.so
Doesn't look too bad. Start by copying the relevant libraries and config directory to the appropriate places within the chroot jail, then test. (Those paths are on OpenBSD 4.7-beta, probably different on your system.)


.. and by 'moving those libraries' you mean 'copying' them, right? :)

A quick look at nginx's ./configure script doesn't show any options that enable static linking on the libraries, but that would be useful for looking into chrooting it.


Yeah, whoops. Copying.


You could also hardlink them.


You don't want to do that. If there is an exploit and an ability to gain root access, those libraries could be modified and affect everything else that uses those libraries outside the chroot jail. Best to just copy them.


You can chroot any user process. Some processes are harder to chroot than others.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: