summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Nagy <robert@cvs.openbsd.org>2011-09-22 23:48:55 +0000
committerRobert Nagy <robert@cvs.openbsd.org>2011-09-22 23:48:55 +0000
commitbbd8966503f516037dd26c38b7cf66ba775ebdd1 (patch)
treec404882849b2ab4a67b6f06a5f004d0414d4af8b
parente4eab3315dc695701bbc86aff629f6742153e7c1 (diff)
unconditionally chroot to the www user's homedir by default
-rw-r--r--usr.sbin/nginx/src/os/unix/ngx_process_cycle.c37
1 files changed, 37 insertions, 0 deletions
diff --git a/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c b/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c
index 3ff0f75c6a2..8079be69646 100644
--- a/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c
+++ b/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c
@@ -832,6 +832,8 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_uint_t priority)
sigset_t set;
ngx_int_t n;
ngx_uint_t i;
+ struct passwd *pw;
+ struct stat stb;
struct rlimit rlmt;
ngx_core_conf_t *ccf;
ngx_listening_t *ls;
@@ -886,6 +888,41 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_uint_t priority)
#endif
if (geteuid() == 0) {
+ if ((pw = getpwnam(ccf->username)) == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "getpwnam(%s) failed", ccf->username);
+ /* fatal */
+ exit(2);
+ }
+
+ if (stat(pw->pw_dir, &stb) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "stat(%s) failed", pw->pw_dir);
+ /* fatal */
+ exit(2);
+ }
+
+ if (stb.st_uid != 0 || (stb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "bad privsep dir permissions on %s", pw->pw_dir);
+ /* fatal */
+ exit(2);
+ }
+
+ if (chroot(pw->pw_dir) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chroot(%s) failed", pw->pw_dir);
+ /* fatal */
+ exit(2);
+ }
+
+ if (chdir("/") == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chdir(\"/\") failed");
+ /* fatal */
+ exit(2);
+ }
+
if (setgid(ccf->group) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
"setgid(%d) failed", ccf->group);