Chroot master process Nginx 1.2.1

Question

I want to install nginx not current stable version but in one currently deposits, and chroot the process. I followed some tutorials including: Securing Debian Manual Appendix H - Chroot environment for Apache and tried to adapt to nginx, but without success (why apache and apache2 not in their example?). So I made the following actions:

~# uname -a 
Debian i686 GNU/Linux

~# apt-cache policy nginx
   nginx:
   Candidat : 1.2.1-2.2+wheezy2


JAIL="/var/chroot/chroot_nginx"
OWN_GRP="chroot_nginx"
TTBITS_LIBDIR="i386-linux-gnu"

1 - Creation of all necessary directory:

~# mkdir -p "$JAIL/etc/nginx"
~# mkdir -p "$JAIL/var/log/nginx"
~# mkdir -p "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# mkdir -p "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# mkdir -p "$JAIL/usr/lib/"
~# mkdir -p "$JAIL/usr/sbin/"
~# mkdir -p "$JAIL/var/run"
~# mkdir -p "$JAIL/proc"
~# mkdir -p "$JAIL/tmp"

2 - Creation of a new user:

adduser --home $JAIL --shell "/bin/false" --no-create-home --system --group $OWN_GRP

3 - what libs used by nginx? :

ldd /usr/sbin/nginx|grep -o "/\(\usr\|lib\).[^ \ ]*"

4 - Copy all existing libs nginx currently installed version:

~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libpthread.so.0" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libcrypt.so.1" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/libpam.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libm.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/liblua5.1.so.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libexpat.so.1" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libpcre.so.3" "$JAIL/lib/$TTBITS_LIBDIR/l"
~# cp "/usr/lib/$TTBITS_LIBDIR/i686/cmov/libssl.so.1.0.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/usr/lib/$TTBITS_LIBDIR/i686/cmov/libcrypto.so.1.0.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libdl.so.2" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/$TTBITS_LIBDIR/libz.so.1" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxml2.so.2" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxslt.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libexslt.so.0" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libgd.so.2" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/libGeoIP.so.1" "$JAIL/usr/lib/"
~# cp "/usr/lib/libperl.so.5.14" "$JAIL/usr/lib/"
~# cp "/lib/$TTBITS_LIBDIR/i686/cmov/libc.so.6" "$JAIL/lib/$TTBITS_LIBDIR/i686/cmov/"
~# cp "/lib/ld-linux.so.2" "$JAIL/lib/"
~# cp "/lib/$TTBITS_LIBDIR/liblzma.so.5" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libgcrypt.so.11" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXpm.so.4" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libX11.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libjpeg.so.8" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libfontconfig.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libfreetype.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libpng12.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/lib/$TTBITS_LIBDIR/libgpg-error.so.0" "$JAIL/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libxcb.so.1" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXau.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"
~# cp "/usr/lib/$TTBITS_LIBDIR/libXdmcp.so.6" "$JAIL/usr/lib/$TTBITS_LIBDIR/"

5 - Other files required

~# cp "/etc/mime.types" $JAIL/etc/mime.types
~# cp "/etc/hosts" $JAIL/etc/hosts
~# cp "/usr/sbin/nginx" "$JAIL/usr/sbin/nginx"
~# cp -R /etc/nginx/* "$JAIL/etc/nginx"

6 - File group, pass ...

~# grep "$OWN_GRP" "/etc/passwd" > "$JAIL/etc/passwd"
~# grep "$OWN_GRP" "/etc/group" > "$JAIL/etc/group"
~# grep "$OWN_GRP" "/etc/shadow" > "$JAIL/etc/shadow"
~# grep "$OWN_GRP" "/etc/gshadow" > "$JAIL/etc/gshadow"

7 - Configuration file nginx service mount/umount of the new file system

~# cp /etc/systemd/system/nginx.service /etc/systemd/system/nginx.service.original
~# cat << EOF > /etc/systemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/chroot/nginx/var/run/nginx.pid
ExecStartPre=/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=mount -t tmpfs none $JAIL/run -o 'noexec,size=1M';mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M';/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=umount $JAIL/run ;umount $JAIL/tmp ;mount -t tmpfs none $JAIL/run -o 'noexec,size=1M';mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M';/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=umount $JAIL/run ;umount $JAIL/tmp ;/usr/sbin/chroot --userspec=$OWN_GRP:$OWN_GRP $JAIL /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit

[Install]
WantedBy=multi-user.target
EOF

8- my /etc/init.d/nginx

~# cat << EOF > /etc/init.d/nginx
#!/bin/sh

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

CHRDIR=/var/chroot/chroot_nginx

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=chroot_nginx
DESC=chroot_nginx

# Include nginx defaults if available
if [ -f /etc/default/nginx ]; then
. /etc/default/nginx
fi

test -x $DAEMON || exit 0

set -e

. /lib/lsb/init-functions

test_nginx_config() {
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
    return 0
else
    $DAEMON -t $DAEMON_OPTS
    return $?
fi
}

case "$1" in
start)
    echo -n "Starting $DESC: "
    test_nginx_config
    # Check if the ULIMIT is set in /etc/default/nginx
    if [ -n "$ULIMIT" ]; then
        # Set the ulimits
        ulimit $ULIMIT
    fi
    #start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
    mount -t tmpfs none $CHRDIR/proc -o 'noexec,size=1M'
    mount -t tmpfs none $CHRDIR/tmp -o 'noexec,size=100M'
    start-stop-daemon --start --quiet --pidfile "$CHRDIR/$PIDFILE" --exec $DAEMON --chroot $CHRDIR -- $DAEMON_OPTS || true
    echo "$NAME."
    ;;

stop)
    echo -n "Stopping $DESC: "
    #start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON || true
    start-stop-daemon --stop --quiet --pidfile "$CHRDIR/$PIDFILE"  --exec $DAEMON --chroot $CHRDIR -- $DAEMON_OPTS || true 
    umount $CHRDIR/proc
    umount $CHRDIR/tmp
    echo "$NAME."
    ;;

restart|force-reload)
    echo -n "Restarting $DESC: "
    umount $CHRDIR/proc
    umount $CHRDIR/tmp
    mount -t tmpfs none $CHRDIR/proc -o 'noexec,size=1M'
    mount -t tmpfs none $CHRDIR/tmp -o 'noexec,size=100M'

    start-stop-daemon --stop --quiet --pidfile "$CHRDIR/$PIDFILE" --chroot $CHRDIR --exec $DAEMON || true

    sleep 1
    test_nginx_config
    # Check if the ULIMIT is set in /etc/default/nginx
    if [ -n "$ULIMIT" ]; then
        # Set the ulimits
        ulimit $ULIMIT
    fi
    start-stop-daemon --start --quiet --pidfile \
        /var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS || true
    echo "$NAME."
    ;;

reload)
    echo -n "Reloading $DESC configuration: "
    test_nginx_config
    #start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid --exec $DAEMON || true
    echo -n "Reloading: $NAME" 
     start-stop-daemon --stop --signal HUP --quiet --pidfile "$CHRDIR/$PIDFILE" --name $NAME || true
    echo "$NAME."
    ;;

configtest|testconfig)
    echo -n "Testing $DESC configuration: "
    if test_nginx_config; then
        echo "$NAME."
    else
        exit $?
    fi
    ;;

status)
    status_of_proc -p /var/run/$NAME.pid "$DAEMON" nginx && exit 0 || exit $?
    ;;
*)
    echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
    exit 1
    ;;
esac

exit 0
EOF

9- fast config nginx

sed -i "s/user .*;/user $OWN_GRP;/g" "$JAIL/etc/nginx/nginx.conf"

10- Allow nginx to bind socket

~# setcap 'cap_net_bind_service=+ep' $JAIL/usr/sbin/nginx

11- Start nginx service

~# service nginx start
******OUTPUT !!! :
Starting chroot_nginx: nginx: [emerg] getpwnam("chroot_nginx") failed (2: No such file or directory) in /etc/nginx/nginx.conf:1
chroot_nginx.

12- Others check

~# cat /etc/passwd|grep "chroot_nginx"
chroot_nginx:x:136:143::/var/chroot/chroot_nginx:/bin/false
~# ls -las /var/chroot/chroot_nginx/
total 24K
drwxr-xr-x 8 root root 4,0K févr. 19 19:15 .
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 ..
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 etc
drwxr-xr-x 3 root root 4,0K févr. 19 19:15 lib
drwxrwxrwt 2 root root   40 févr. 19 19:19 proc
drwxrwxrwt 2 root root   40 févr. 19 19:19 tmp
drwxr-xr-x 4 root root 4,0K févr. 19 19:15 usr
drwxr-xr-x 4 root root 4,0K févr. 19 19:15 var

First is the basic configuration file is called /etc/nginx/nginx.conf and not /var/chroot/chroot_nginx/etc/nginx/nginx.conf is this normal? Secondly my user was not found ...

Where I wrong?

I could see also other posts on stackoverflow, a chrooted process, but will be in the /usr/sbin lose its security properties? My question is why? All programs that are in this folder have they set the bit apparently not activated? If this is the casMes knowledge have not yet understand me, thank you for guiding me.

I also have doubts as to mount the file system on the command ExecStartPre service nginx file and the paths indicated ... That is if you have an idea just to guide me or see a mistake, a missing step or have a good tutorial advise me ...

I learn alone be kind :) Thank you very much for your time.