How to chroot nginx

Server NGINX
1

Is it possible to chroot nginx also fastcgi? if yes, how?

2

Witam!

W liście datowanym 1 września 2008 (10:22:06) napisano:

Is it possible to chroot nginx also fastcgi? if yes, how?

  1. you have to build chroot ( i am usually using debootstrap)
  2. you have to chroot into just created chroot
  3. install ngin etc
  4. start services in chroot
3

On Mon, Sep 01, 2008 at 10:22:06AM +0200, Robert G. wrote:

Is it possible to chroot nginx also fastcgi? if yes, how?

AFAIK nginx itself doesn’t have chroot feature.

as for FCGI, well, depends on the way you are spawning FCGI processes,
lighttpd’s spawn-fcgi for example has -c which allows it to be chrooted.

4

The process model of NGINX would make it almost impossible for NGINX
worker process itself to chroot.

The reason for this is that an NGINX worker process uses a set of
asynchronous handlers to convey the impression of simultaneous request
processing.
When a process calls a chroot(), it is impossible to get back out of the
new root, unless a directory outside the root was opened (opendir/dirfd)
before the chroot.
Since worker process in NGINX doesn’t exit() on its own, chroot()ing it
would not be a good idea.

Given the NGINX architecture, it is all but impossible to implement
chroot, say, based on a virtual host, etc.

Executing other programs, on the other hand, is a different topic.
For instance, apache uses the suexec wrapper to spawn CGI scripts. if
NGINX gets support for CGI in the future, then the wrapper could
conceivably support chroot(), because a CGI program runs in its own
process.

Running NGINX in private root itself, that’s a separate matter, and that
should be doable as long as all the libraries that NGINX links to, are
present under the new root.

----- Original Message -----
From: “Almir K.” [email protected]
To: [email protected]
Sent: Monday, September 1, 2008 2:30:12 PM GMT +05:30 Chennai, Kolkata,
Mumbai, New Delhi
Subject: Re: how to chroot nginx

On Mon, Sep 01, 2008 at 10:22:06AM +0200, Robert G. wrote:

Is it possible to chroot nginx also fastcgi? if yes, how?

AFAIK nginx itself doesn’t have chroot feature.

as for FCGI, well, depends on the way you are spawning FCGI processes,
lighttpd’s spawn-fcgi for example has -c which allows it to be chrooted.

5

On 9/1/08, Almir K. [email protected] wrote:

AFAIK nginx itself doesn’t have chroot feature.

as for FCGI, well, depends on the way you are spawning FCGI processes,
lighttpd’s spawn-fcgi for example has -c which allows it to be chrooted.

but spawn-fcgi is lame. :slight_smile: php-fpm is king.