<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Arial; font-size: 10pt; color: #000000'>The process model of NGINX would make it almost impossible for NGINX worker process itself to chroot.<br><br>The reason for this is that an NGINX worker process uses a set of asynchronous handlers to convey the impression of simultaneous request processing.<br>When a process calls a chroot(), it is impossible to get back out of the new root, unless a directory outside the root was opened (opendir/dirfd) before the chroot.<br>Since worker process in NGINX doesn't exit() on its own, chroot()ing it would not be a good idea.<br><br>Given the NGINX architecture, it is all but impossible to implement chroot, say, based on a virtual host, etc.<br><br>Executing other programs, on the other hand, is a different topic.<br>For instance, apache uses the suexec wrapper to spawn CGI scripts. if NGINX gets support for CGI in the future, then the wrapper could conceivably support chroot(), because a CGI program runs in its own process.<br><br>Running NGINX in private root itself, that's a separate matter, and that should be doable as long as all the libraries that NGINX links to, are present under the new root.<br><br><br>----- Original Message -----<br>From: "Almir Karic" <almir@kiberpipa.org><br>To: nginx@sysoev.ru<br>Sent: Monday, September 1, 2008 2:30:12 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi<br>Subject: Re: how to chroot nginx<br><br>On Mon, Sep 01, 2008 at 10:22:06AM +0200, Robert Gabriel wrote:<br>> Is it possible to chroot nginx also fastcgi? if yes, how?<br><br>AFAIK nginx itself doesn't have chroot feature.<br><br>as for FCGI, well, depends on the way you are spawning FCGI processes,<br>lighttpd's spawn-fcgi for example has -c which allows it to be chrooted.<br><br>-- <br>vi vi vi -- the number fo the beast<br><br></div></body></html>