diff options
| -rw-r--r-- | usr.sbin/nginx/src/core/nginx.c | 5 | ||||
| -rw-r--r-- | usr.sbin/nginx/src/core/ngx_cycle.c | 12 | ||||
| -rw-r--r-- | usr.sbin/nginx/src/http/ngx_http_core_module.c | 9 | ||||
| -rw-r--r-- | usr.sbin/nginx/src/os/unix/ngx_process_cycle.c | 8 | ||||
| -rw-r--r-- | usr.sbin/nginx/src/os/unix/ngx_process_cycle.h | 1 |
5 files changed, 30 insertions, 5 deletions
diff --git a/usr.sbin/nginx/src/core/nginx.c b/usr.sbin/nginx/src/core/nginx.c index b8bab37e3f5..b578617bee2 100644 --- a/usr.sbin/nginx/src/core/nginx.c +++ b/usr.sbin/nginx/src/core/nginx.c @@ -238,6 +238,7 @@ main(int argc, char *const *argv) NGX_CONF_PATH ")" CRLF " -g directives : set global directives out of configuration " "file" CRLF + " -u : disable chroot(2)" CRLF ); } @@ -764,6 +765,10 @@ ngx_get_options(int argc, char *const *argv) ngx_log_stderr(0, "invalid option: \"-s %s\"", ngx_signal); return NGX_ERROR; + case 'u': + ngx_chrooted = 0; + break; + default: ngx_log_stderr(0, "invalid option: \"%c\"", *(p - 1)); return NGX_ERROR; diff --git a/usr.sbin/nginx/src/core/ngx_cycle.c b/usr.sbin/nginx/src/core/ngx_cycle.c index a035fcdc47b..59b70841eb5 100644 --- a/usr.sbin/nginx/src/core/ngx_cycle.c +++ b/usr.sbin/nginx/src/core/ngx_cycle.c @@ -1115,6 +1115,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user) ngx_uint_t i; ngx_list_part_t *part; ngx_open_file_t *file; + char *buf; part = &cycle->open_files.part; file = part->elts; @@ -1136,12 +1137,15 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user) len = file[i].pos - file[i].buffer; - if ((ngx_process == NGX_PROCESS_WORKER) && file[i].name.data[0] == '/') { - ngx_cpystrn(file[i].name.data, file[i].name.data + strlen(NGX_PREFIX), + if ((ngx_process == NGX_PROCESS_WORKER) && ngx_chrooted && file[i].name.data[0] == '/') { + buf = malloc(file[i].name.len); + ngx_cpystrn(buf, file[i].name.data + strlen(NGX_PREFIX), file[i].name.len); - while (file[i].name.data[0] == '/') { - file[i].name.data++; + while (buf[0] == '/') { + buf++; } + ngx_str_set(&file[i].name, buf); + free(buf); } if (file[i].buffer && len != 0) { diff --git a/usr.sbin/nginx/src/http/ngx_http_core_module.c b/usr.sbin/nginx/src/http/ngx_http_core_module.c index cd4ed2cacb3..f65dd2f1244 100644 --- a/usr.sbin/nginx/src/http/ngx_http_core_module.c +++ b/usr.sbin/nginx/src/http/ngx_http_core_module.c @@ -3338,6 +3338,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_http_core_loc_conf_t *prev = parent; ngx_http_core_loc_conf_t *conf = child; + char *buf; ngx_uint_t i; ngx_hash_key_t *type; @@ -3357,6 +3358,14 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } } + + if (ngx_chrooted) { + buf = malloc(conf->root.len); + ngx_cpystrn(buf, conf->root.data + strlen(NGX_PREFIX) - 1, + conf->root.len); + ngx_str_set(&conf->root, buf); + free(buf); + } } if (conf->post_action.data == NULL) { diff --git a/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c b/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c index 8079be69646..1c385419c9e 100644 --- a/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c +++ b/usr.sbin/nginx/src/os/unix/ngx_process_cycle.c @@ -48,6 +48,7 @@ sig_atomic_t ngx_reopen; sig_atomic_t ngx_change_binary; ngx_pid_t ngx_new_binary; ngx_uint_t ngx_inherited; +ngx_uint_t ngx_chrooted = 1; ngx_uint_t ngx_daemonized; sig_atomic_t ngx_noaccept; @@ -888,6 +889,10 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_uint_t priority) #endif if (geteuid() == 0) { + if (!ngx_chrooted) { + goto nochroot; + } + if ((pw = getpwnam(ccf->username)) == NULL) { ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, "getpwnam(%s) failed", ccf->username); @@ -922,7 +927,8 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_uint_t priority) /* fatal */ exit(2); } - + +nochroot: if (setgid(ccf->group) == -1) { ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, "setgid(%d) failed", ccf->group); diff --git a/usr.sbin/nginx/src/os/unix/ngx_process_cycle.h b/usr.sbin/nginx/src/os/unix/ngx_process_cycle.h index e6cef6b3f96..3bd292dfa0b 100644 --- a/usr.sbin/nginx/src/os/unix/ngx_process_cycle.h +++ b/usr.sbin/nginx/src/os/unix/ngx_process_cycle.h @@ -41,6 +41,7 @@ extern ngx_uint_t ngx_process; extern ngx_pid_t ngx_pid; extern ngx_pid_t ngx_new_binary; extern ngx_uint_t ngx_inherited; +extern ngx_uint_t ngx_chrooted; extern ngx_uint_t ngx_daemonized; extern ngx_uint_t ngx_threaded; extern ngx_uint_t ngx_exiting; |