Getpwnam issue

dubstep · January 4, 2011, 9:45pm

Hello all,

I am testing a chroot’ed nginx setup on Debian Lenny and am receiving
the error: getpwnam("www-data") failed when I try to start nginx. My
search to find a possible solution have so far been fruitless but I am
hoping someone smarter than I could offer some advice.

I’ve setup the “jail” in /chroot/nginx, created the relevant directory
structure (/dev/, /etc, /usr, /var, etc.). Then I copied files that
“ldd which nginx” showed as linked to the relevant directories, and
also copied what I believe are the necessary /etc/* files to
/chroot/nginx/etc/. So my directory structure is basically as follows:

/chroot/nginx (base chroot directory)
/etc
passwd, shadow, group, hosts, nsswitch.conf,
resolv.conf
/nginx
nginx.conf,
/sites-{available, enabled}
/usr
/sbin
nginx
/lib
(some shared library files here)
/lib
libnss_dns files, libnss_compat* files,
libnss_files*, and some other shared library files here
/var
/dev
/tmp

(that’s a non-exhaustive overview, but is hopefullly enough to diagnose
the problem)

I know that it’s not a getpwnam() issue, as I found a forum discussion
which involves troubleshooting the getpwnam() function with a simple C
program to ensure that getpwnam() is indeed working properly. I’ve
tested this and it works as expected in a non-chroot setting
(discussion is here, it’s in Russian, so you may need to use Google
Translate:
Re: nginx и cygwin).

I am using the start-stop-daemon to manage nginx with a script similar
to this:
nginx startup script for Debian.
So to start nginx I run:

 #   start-stop-daemon --start --pidfile /var/run/nginx/nginx.pid

–exec /usr/sbin/nginx --chroot /chroot/nginx

And this is what throws the error. I think that it’s really an issue of
having my paths or permissions wrong such that getpwnam() cannot
read/find the passwd file, but my attempts to change permissions,
owners, and paths have not been successful. Any advice or suggestions
would be appreciated!

Thanks,

Chad

Posted at Nginx Forum:

chadmiko · January 4, 2011, 11:54pm

I have seemingly solved this issue. I failed to copy /lib/libnsl.so.1
into my chroot /lib folder but have added it and I can start nginx using
the start-stop-daemon command with the --chroot flag; strace is a
life-saver.

In case anyone else goes down this road in the future, you can strace
your start-stop-daemon call to a chrooted nginx as follows:

start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON --chroot

$CHRDIR --startas /usr/bin/strace – -f -o /tmp/$NAME.strace $DAEMON
$ARGS

where…
$PIDFILE = path/to/nginx/pid
$DAEMON = /usr/sbin/nginx
$CHRDIR = /chroot/nginx (or your chroot dir)
$NAME = nginx

make sure you copy /usr/bin/strace into $CHRDIR/usr/bin/ else the above
command will fail (don’t forget to remove it after you’ve debugged
everything).
strace will be output to $CHRDIR/tmp/$NAME.strace.

This is how I was able to determine what libraries I needed.

Posted at Nginx Forum:

chadmiko · January 12, 2011, 10:11pm

chadmiko Wrote:

start-stop-daemon --start --pidfile $PIDFILE

make sure you copy /usr/bin/strace into
$CHRDIR/usr/bin/ else the above command will fail
(don’t forget to remove it after you’ve debugged
everything).
strace will be output to $CHRDIR/tmp/$NAME.strace.

This is how I was able to determine what libraries
I needed.

Thanks for the tip! I too was having trouble with chroot’ing nginx on
Ubuntu Lucid 10.04 LTS, and that strace led me to the missing libs.

To make this easier, I wrote a script based on many tips from Vivek
Gite’s blog, mainly this post:
http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/ , and
I’ve released it on Github in hopes it will help others:

I’ve included the nginx init.d script updated to launch nginx chrooted.
It also creates a new, password-locked nginx user with the home
directory set to the chroot directory. I’ve only tested it with an
Ubuntu 64-bit minimal installation on my VPS, so feel free to comment or
submit patches on Github!

Cheers,

Charles

Posted at Nginx Forum: