israelshirk · December 31, 2015 14:09
diff --git a/make_chroot_jail.sh b/make_chroot_jail.sh
 #!/bin/sh
 #
 # (c) Copyright by Wolfgang Fuschlberger...  
 #    Cheaply hacked as a proof of concept by Israel Shirk, December 2013.
 #
 #    This program is free software; you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation; either version 2 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #    ( http://www.fsf.org/licenses/gpl.txt )
 #####################################################################

 # first Release: 2004-07-30
 RELEASE="2013-12-16"
 #
 # The latest version of the script is available at
 #   http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
 #
 # Feedback is welcome!
 #
 # Thanks for Bugfixes / Enhancements to 
 # Michael Prokop <http://www.michael-prokop.at/chroot/>,
 # Randy K., Randy D., Jonathan Hunter and everybody else.
 #####################################################################
 #
 # Features:
 # - enable scp and sftp in the chroot-jail
 # - use one directory (default /home/jail/) as chroot for all users
 # - create new accounts
 # - move existing accounts to chroot
 #####################################################################

 # path to sshd's config file: needed for automatic detection of the locaten of
 # the sftp-server binary
 SSHD_CONFIG="/etc/ssh/sshd_config"

 # Check if we are called with username or update
 if [ -z "$1" ] ; then
  echo
  echo "ERROR: Parameter missing. Did you forget the username?"
  echo "-------------------------------------------------------------"
  echo
  echo "USAGE:"
  echo "Create new chrooted account or"
  echo "add existing User to chroot-jail:"
  echo "-> $0 username"
  echo
  echo "or specify the chroot-shell file and path where the jail should be located:"
  echo "-> $0 username [/path/to/chroot-shell [/path/to/jail]]"
  echo "Default shell       = /bin/chroot-shell"
  echo "Default chroot-path = /home/jail"
  echo "-------------------------------------------------------------"
  echo
  echo "Updating files in the chroot-jail:"
  echo "-> $0 update [/path/to/chroot-shell [/path/to/jail]]"
  echo "-------------------------------------------------------------"
  echo
  echo "To uninstall:"
  echo " # userdel \$USER"
  echo " # rm -rf /home/jail"
  echo " (this deletes all Users' files!)"
  echo " # rm -f /bin/chroot-shell"
  echo " manually delete the User's line from /etc/sudoers"
  echo 
  echo "Missing features:  Should be able to switch off extra services + binaries that are unused."
  echo 
  echo "\!Needs checks on various PHP features that integrate with DSO'S and external configs - like OpenSSL."
  echo "I've quoted stuff a little better than the previous version, but only on changed code"
  echo "so don't feed arbitrary input to it or use when paths outside the chroot could have interesting characters"
  echo "in them."
  echo 
  echo "Ideally, you'd just use this to make a template, then cp -la <template> <dest>"


  exit
 fi

 if [ -z "$PATH" ] ; then 
  PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
 fi

 echo
 echo Release: $RELEASE
 echo

 echo "Am I root?  "
 if [ "$(whoami &2>/dev/null)" != "root" ] && [ "$(id -un &2>/dev/null)" != "root" ] ; then
  echo "  NO!

 Error: You must be root to run this script."
  exit 1
 fi
 echo "  OK";

 # Check existence of necessary files
 echo "Checking distribution... "
 if [ -f /etc/debian_version ];
  then echo "  Supported Distribution found"
       echo "  System is running Debian Linux"
       DISTRO=DEBIAN;
 elif [ -f /etc/SuSE-release ];
  then echo "  Supported Distribution found"
       echo "  System is running SuSE Linux"
       DISTRO=SUSE;
 elif [ -f /etc/fedora-release ];
  then echo "  Supported Distribution found"
       echo "  System is running Fedora Linux"
       DISTRO=FEDORA;
 elif [ -f /etc/redhat-release ];
  then echo "  Supported Distribution found"
       echo "  System is running Red Hat Linux"
       DISTRO=REDHAT;
 else echo -e "  failed...........\nThis script works best on Debian, Red Hat, Fedora and SuSE Linux!\nLet's try it nevertheless....\nIf some program files cannot be found adjust the respective path in line 98\n"
 #exit 1
 fi

 # Specify the apps you want to copy to the jail
 if [ "$DISTRO" = SUSE ]; then
  APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/netcat /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
 elif [ "$DISTRO" = FEDORA ]; then
  APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
 elif [ "$DISTRO" = REDHAT ]; then
  APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
 elif [ "$DISTRO" = DEBIAN ]; then
  APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
 else
  APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /usr/sbin/unix_chkpwd"
 fi

 # Check existence of necessary files
 echo "Checking for which... " 
 #if [ -f $(which which) ] ;
 # not good because if which does not exist I look for an 
 # empty filename and get OK nevertheless
 if ( test -f /usr/bin/which ) || ( test -f /bin/which ) || ( test -f /sbin/which ) || ( test -f /usr/sbin/which );
  then echo "  OK";
  else echo "  failed

 Please install which-binary!
 "
 exit 1
 fi

 echo "Checking for chroot..." 
 if [ `which chroot` ];
  then echo "  OK";
  else echo "  failed

 chroot not found!
 Please install chroot-package/binary!
 "
 exit 1
 fi

 echo "Checking for sudo..." 
 if [ `which sudo` ]; then
  echo "  OK";
 else 
  echo "  failed

 sudo not found!
 Please install sudo-package/binary!
 "
 exit 1
 fi

 echo "Checking for dirname..." 
 if [ `which dirname` ]; then
  echo "  OK";
 else 
  echo "  failed

 dirname not found!
 Please install dirname-binary (to be found eg in the package coreutils)!
 "
 exit 1
 fi

 echo "Checking for awk..." 
 if [ `which awk` ]; then
  echo "  OK
 ";
 else 
  echo "  failed

 awk not found!
 Please install (g)awk-package/binary!
 "
 exit 1
 fi

 function link_copy() {
  echo "Copying $1 to $2/$1"
  # If it's a directory, create it and return
  # echo rsync -avz -H --numeric-ids "$1" "$2/$1"
  # 
  if [ ! -d "`dirname $2/$1`" ]; then
    mkdir -p "`dirname \"$2/$1\"`"
  fi

  cp -ald "$1" "$2/$1" >& /dev/null

  if [ $? -ne 0 ]; then
    cp -a -d "$1" "$2/$1"
  fi
 }

 # get location of sftp-server binary from /etc/ssh/sshd_config
 # check for existence of /etc/ssh/sshd_config and for
 # (uncommented) line with sftp-server filename. If neither exists, just skip
 # this step and continue without sftp-server
 #
 #if  (test ! -f /etc/ssh/sshd_config &> /dev/null); then
 #  echo "
 #File /etc/ssh/sshd_config not found.
 #Not checking for path to sftp-server.
 #  ";
 #else
 if [ ! -f ${SSHD_CONFIG} ]
 then
   echo "File ${SSHD_CONFIG} not found."
   echo "Not checking for path to sftp-server."
   echo "Please adjust the global \$SSHD_CONFIG variable"
 else
  if !(grep -v "^#" ${SSHD_CONFIG} | grep -i sftp-server &> /dev/null); then
    echo "Obviously no sftp-server is running on this system.
 ";
  else SFTP_SERVER=$(grep -v "^#" ${SSHD_CONFIG} | grep -i sftp-server | awk  '{ print $3}')
  fi
 fi

 OPENSSL="`ls /usr/lib64/openssl/engines/lib*so`"
 PHP_FPM="`ls /usr/sbin/php-fpm`"
 PHP="`ls /usr/bin/php` `ls /usr/lib64/php*/modules/*so` `ls /usr/lib64/libmysql*so`"

 #if !(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server /etc/ssh/sshd_config | awk  '{ print $3}' &> /dev/null); then
 APPS="$APPS $SFTP_SERVER $PHP_FPM $PHP $OPENSSL"

 # Get accountname to create / move
 CHROOT_USERNAME=$1

 if ! [ -z "$2" ] ; then
  SHELL=$2
 else
  SHELL=/bin/chroot-shell
 fi

 if ! [ -z "$3" ] ; then
  JAILPATH=$3
 else
  JAILPATH=/var/www/vhosts/
 fi

 # Exit if user already exists
 #id $CHROOT_USERNAME > /dev/null 2>&1 && { echo "User exists."; echo "Exiting."; exit 1; }

 # Check if user already exists and ask for confirmation
 # we have to trust that root knows what she is doing when saying 'yes'
 if ( id $CHROOT_USERNAME > /dev/null 2>&1 ) ; then {
 echo "
 -----------------------------
 User $CHROOT_USERNAME exists. 

 Are you sure you want to modify the users home directory and lock him into the
 chroot directory?
 Are you REALLY sure?
 Say only yes if you absolutely know what you are doing!"
  read -p "(yes/no) -> " MODIFYUSER
  if [ "$MODIFYUSER" != "yes" ]; then
    echo "
 Not entered yes. Exiting...."
    exit 1
  fi
 }
 else
  CREATEUSER="yes"
 fi

 # Create $SHELL (shell for jailed accounts)
 if [ -f ${SHELL} ] ; then
  echo "
 -----------------------------
 The file $SHELL exists. 
 Probably it was created by this script.

 Are you sure you want to overwrite it?
 (you want to say yes for example if you are running the script for the second
 time when adding more than one account to the jail)"
 read -p "(yes/no) -> " OVERWRITE
 if [ "$OVERWRITE" != "yes" ]; then
  echo "
 Not entered yes. Exiting...."
  exit 1
 fi
 else
  echo "Creating $SHELL"
  echo '#!/bin/sh' > $SHELL
  echo "`which sudo` `which chroot` $JAILPATH /bin/su - \$USER" \"\$@\" >> $SHELL
  chmod 755 $SHELL
 fi

 # make common jail for everybody if inexistent
 if [ ! -d ${JAILPATH} ] ; then
  mkdir -p ${JAILPATH}
  echo "Creating ${JAILPATH}"
 fi
 cd ${JAILPATH}

 if [ -h "${JAILPATH}/lib" ]; then
  rm -f "${JAILPATH}/lib"
 fi

 if [ -h "${JAILPATH}/lib64" ]; then
  rm -f "${JAILPATH}/lib64"
 fi

 # Create directories in jail that do not exist yet
 JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin usr/lib"
 for directory in $JAILDIRS ; do
  if [ ! -d "$JAILPATH/$directory" ] ; then
    mkdir $JAILPATH/"$directory"
    echo "Creating $JAILPATH/$directory"
  fi
 done
 echo

 # Comment in the following lines if your apache can't read the directories and
 # uses the security contexts
 # Fix security contexts so Apache can read files
 #CHCON=$(`which chcon`)
 #if [ -n "$CHCON" ] && [ -x $CHCON ]; then
 #    $CHCON -t home_root_t $JAILPATH/home
 #    $CHCON -t user_home_dir_t $JAILPATH/home/$CHROOT_USERNAME
 #fi

 # Creating necessary devices
 [ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9
 [ -r $JAILPATH/dev/null ]    || mknod -m 666 $JAILPATH/dev/null    c 1 3
 [ -r $JAILPATH/dev/zero ]    || mknod -m 666 $JAILPATH/dev/zero    c 1 5
 [ -r $JAILPATH/dev/tty ]     || mknod -m 666 $JAILPATH/dev/tty     c 5 0 

 # if we only want to update the files in the jail
 # skip the creation of the new account
 if [ "$1" != "update" ]; then

 # Modifiy /etc/sudoers to enable chroot-ing for users
 # must be removed by hand if account is deleted
 echo "Modifying /etc/sudoers"
 echo "$CHROOT_USERNAME       ALL=NOPASSWD: `which chroot`, /bin/su - $CHROOT_USERNAME" >> /etc/sudoers

 # Define HomeDir for simple referencing
 HOMEDIR="$JAILPATH/home/$CHROOT_USERNAME"

 # Create new account, setting $SHELL to the above created script and
 # $HOME to $JAILPATH/home/*
 if [ "$CREATEUSER" != "yes" ] ; then echo "
 Not creating new User account
 Modifying User \"$CHROOT_USERNAME\" 
 Copying files in $CHROOT_USERNAME's \$HOME to \"$HOMEDIR\"
 "
 usermod -d "$HOMEDIR" -m -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
 fi

 if [ "$CREATEUSER" = "yes" ] ; then {
 echo "Adding User \"$CHROOT_USERNAME\" to system"
 useradd -m -d "$HOMEDIR" -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"

 # Enter password for new account
 # if !(passwd $CHROOT_USERNAME);
 #   then echo "Passwords are probably not the same, try again."
 #   exit 1;
 # fi
 echo
 }
 fi

 # Create /usr/bin/groups in the jail
 echo "#!/bin/bash" > usr/bin/groups
 echo "id -Gn" >> usr/bin/groups
 chmod 755 usr/bin/groups

 # Add users to etc/passwd
 #
 # check if file exists (ie we are not called for the first time)
 # if yes skip root's entry and do not overwrite the file
 if [ ! -f etc/passwd ] ; then
 grep /etc/passwd -e "^root" > ${JAILPATH}/etc/passwd
 fi
 if [ ! -f etc/group ] ; then
 grep /etc/group -e "^root" > ${JAILPATH}/etc/group
 # add the group for all users to etc/group (otherwise there is a nasty error
 # message and probably because of that changing directories doesn't work with
 # winSCP)
 grep /etc/group -e "^users" >> ${JAILPATH}/etc/group
 fi

 # grep the username which was given to us from /etc/passwd and add it
 # to ./etc/passwd replacing the $HOME with the directory as it will then 
 # appear in the jail
 echo "Adding User $CHROOT_USERNAME to jail"
 grep -e "^$CHROOT_USERNAME:" /etc/passwd | \
 sed -e "s#$JAILPATH##"      \
     -e "s#$SHELL#/bin/bash#"  >> ${JAILPATH}/etc/passwd

 # if the system uses one account/one group we write the
 # account's group to etc/group
 grep -e "^$CHROOT_USERNAME:" /etc/group >> ${JAILPATH}/etc/group

 # write the user's line from /etc/shadow to /home/jail/etc/shadow
 grep -e "^$CHROOT_USERNAME:" /etc/shadow >> ${JAILPATH}/etc/shadow
 chmod 600 ${JAILPATH}/etc/shadow

 # endif for =! update
 fi

 # Copy the apps and the related libs
 echo "Copying necessary library-files to jail (may take some time)"

 # The original code worked fine on RedHat 7.3, but did not on FC3.
 # On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that 
 # points to nothing (or a 90xb.....), and it also does not pick up
 # some files that start with a '/'. To fix this, I am doing the ldd
 # to a file called ldlist, then going back into the file and pulling
 # out the libs that start with '/'
 # 
 # Randy K.
 #
 # The original code worked fine on 2.4 kernel systems. Kernel 2.6
 # introduced an internal library called 'linux-gate.so.1'. This 
 # 'phantom' library caused non-critical errors to display during the 
 # copy since the file does not actually exist on the file system. 
 # To fix re-direct output of ldd to a file, parse the file and get 
 # library files that start with /
 #

 # create temporary files with mktemp, if that doesn't work for some reason use
 # the old method with $HOME/ldlist[2] (so I don't have to check the existence
 # of the mktemp package / binary at the beginning
 #
 TMPFILE1=`mktemp` &> /dev/null ||  TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv "${TMPFILE1}" "${TMPFILE1}.bak"; fi
 TMPFILE2=`mktemp` &> /dev/null ||  TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv "${TMPFILE2}" "${TMPFILE2}.bak"; fi

 for app in $APPS;  do
    # First of all, check that this application exists
    if [ -e "$app" ]; then
        # Check that the directory exists; create it if not.
 #        app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
        app_path=`dirname $app`
        if ! [ -d ."$app_path" ]; then
            mkdir -p ."$app_path"
        fi

        # If the files in the chroot are on the same file system as the
        # original files you should be able to use hard links instead of
        # copying the files, too. Symbolic links cannot be used, because the
        # original files are outside the chroot.
        
        link_copy "$app" "${JAILPATH}"
        #if [[ "$app" != */bin/* ]]; then
        #  echo "linking $app"
        #  ln $app .$app

        #  if [ $? -ne 0 ]; then
        #    echo "link failed; copying $app"
        #    cp -a $app .$app
        #  fi
        #fi

        # get list of necessary libraries
        ldd "$app" >> ${TMPFILE1}
    fi
 done

 cat ${TMPFILE1}

 # Clear out any old temporary file before we start
 for libs in `cat "${TMPFILE1}"`; do
   frst_char="`echo $libs | cut -c1`"
   if [ "$frst_char" = "/" ]; then
     echo "$libs" >> ${TMPFILE2}
   fi
 done

 cat "${TMPFILE2}"

 for lib in `cat "${TMPFILE2}"`; do
    mkdir -p ".`dirname \"$lib\"`" > /dev/null 2>&1

  	# If the files in the chroot are on the same file system as the original
  	# files you should be able to use hard links instead of copying the files,
  	# too. Symbolic links cannot be used, because the original files are
  	# outside the chroot.
    #    if [[ "$lib" != */bin/* ]]; then
    #      echo "linking $lib"
    #      ln "$lib" ".$lib"
    #
    #      if [ $? -ne 0 ]; then
    #        echo "link failed; copying $lib"
    #        cp -a $lib .$lib
    #      fi
    #    fi
    #    

    link_copy "$lib" "${JAILPATH}"
 done

 #
 # Now, cleanup the 2 files we created for the library list
 #
 #/bin/rm -f ${HOME}/ldlist
 #/bin/rm -f ${HOME}/ldlist2
 /bin/rm -f "${TMPFILE1}"
 /bin/rm -f "${TMPFILE2}"

 # Necessary files that are not listed by ldd.
 #
 # There might be errors because of files that do not exist but in the end it
 # may work nevertheless (I added new file names at the end without deleting old
 # ones for reasons of backward compatibility).
 # So please test ssh/scp before reporting a bug.
 if [ "$DISTRO" = SUSE ]; then
  cp /lib/libnss_compat.so.2 /lib/libnss_files.so.2 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
 elif [ "$DISTRO" = FEDORA ]; then
  cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-ldb.so.3 /lib/ld-lsb.so.3 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
  cp /lib/*.* ${JAILPATH}/lib/
  cp /usr/lib/libcrack.so.2 ${JAILPATH}/usr/lib/
 elif [ "$DISTRO" = REDHAT ]; then
  cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-lsb.so.1 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
  # needed for scp on RHEL
  echo "export LD_LIBRARY_PATH=/usr/kerberos/lib" >> ${JAILPATH}/etc/profile
 elif [ "$DISTRO" = DEBIAN ]; then
  cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/
 else
  cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/
 fi

 # if you are using a 64 bit system and have strange problems with login comment
 # the following lines in, perhaps it works then (motto: if you can't find the
 # needed library just copy all of them)
 #
 #cp /lib/*.* ${JAILPATH}/lib/
 #cp /lib/lib64/*.* ${JAILPATH}/lib/lib64/ 

 # if you are using PAM you need stuff from /etc/pam.d/ in the jail,
 echo "Copying files from /etc/pam.d/ to jail"
 link_copy "/etc/pam.d" "${JAILPATH}"

 # ...and of course the PAM-modules...
 echo "Copying PAM-Modules to jail"
 # cp -a /lib/security ${JAILPATH}/lib/
 link_copy "/lib/security" "${JAILPATH}"
 link_copy "/lib64/security" "${JAILPATH}"

 # ...and something else useful for PAM
 #cp -a /etc/security ${JAILPATH}/etc/
 link_copy "/etc/security" "${JAILPATH}"
 #cp /etc/login.defs ${JAILPATH}/etc/
 link_copy "/etc/login.defs" "${JAILPATH}"
 link_copy "/usr/share/zoneinfo" "${JAILPATH}"

 if [ -f /etc/DIR_COLORS ] ; then
  link_copy "/etc/DIR_COLORS" "${JAILPATH}"
  # cp /etc/DIR_COLORS ${JAILPATH}/etc/
 fi 

 set -x

 if [ -h "/lib" ]; then
  mkdir -p "${JAILPATH}/usr/lib"
  mv ${JAILPATH}/lib/* "${JAILPATH}/usr/lib/"
  rm -rf "${JAILPATH}/lib"
  ln -s /usr/lib "${JAILPATH}/lib"
 fi

 if [ -h "/lib64" ]; then
  mkdir -p "${JAILPATH}/usr/lib64"
  mv ${JAILPATH}/lib64/* "${JAILPATH}/usr/lib64/"
  rm -rf "${JAILPATH}/lib64"
  ln -s /usr/lib64 "${JAILPATH}/lib64"
 fi

 # Don't give more permissions than necessary
 chown root.root ${JAILPATH}/bin/su
 chmod 700 ${JAILPATH}/bin/su

 exit

diff --git a/nginx.conf section b/nginx.conf section
 # Only includes fastcgi-specific section.

 # Pass all .php files onto a php-fpm/php-fcgi server.
 location ~ \.php$ {
 	# Zero-day exploit defense.
 	# http://forum.nginx.org/read.php?2,88845,page=3
 	# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
 	# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
 	try_files $uri =404;

 	fastcgi_split_path_info ^(.+\.php)(/.+)$;
 	#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

 	include fastcgi_params;
 	fastcgi_index index.php;
 	fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name;
 	fastcgi_pass 127.0.0.1:9000;
 }
diff --git a/www.conf b/www.conf
 ; Start a new pool named 'www'.
 [www]

 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses on a
 ;                            specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 listen = 127.0.0.1:9000

 ; Set listen(2) backlog. A value of '-1' means unlimited.
 ; Default Value: -1
 ;listen.backlog = -1
 
 ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
 ; must be separated by a comma. If this value is left blank, connections will be
 ; accepted from any ip address.
 ; Default Value: any
 listen.allowed_clients = 127.0.0.1

 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions. 
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0666
 ;listen.owner = nobody
 ;listen.group = nobody
 ;listen.mode = 0666

 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
 ; RPM: apache Choosed to be able to access some dir as httpd
 user = jailly
 ; RPM: Keep a group allowed to write in log dir.
 group = jailly

 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;
 ;   dynamic - the number of child processes are set dynamically based on the
 ;             following directives:
 ;             pm.max_children      - the maximum number of children that can
 ;                                    be alive at the same time.
 ;             pm.start_servers     - the number of children created on startup.
 ;             pm.min_spare_servers - the minimum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is less than this
 ;                                    number then some children will be created.
 ;             pm.max_spare_servers - the maximum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ; Note: This value is mandatory.
 pm = dynamic
 c
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes to be created when pm is set to 'dynamic'.
 ; This value sets the limit on the number of simultaneous requests that will be
 ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI.
 ; Note: Used when pm is set to either 'static' or 'dynamic'
 ; Note: This value is mandatory.
 pm.max_children = 12

 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
 pm.start_servers = 1

 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.min_spare_servers = 1

 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 8
 
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
 pm.max_requests = 30

 ; The URI to view the FPM status page. If this value is not set, no URI will be
 ; recognized as a status page. By default, the status page shows the following
 ; information:
 ;   accepted conn    - the number of request accepted by the pool;
 ;   pool             - the name of the pool;
 ;   process manager  - static or dynamic;
 ;   idle processes   - the number of idle processes;
 ;   active processes - the number of active processes;
 ;   total processes  - the number of idle + active processes.
 ; The values of 'idle processes', 'active processes' and 'total processes' are
 ; updated each second. The value of 'accepted conn' is updated in real time.
 ; Example output:
 ;   accepted conn:   12073
 ;   pool:             www
 ;   process manager:  static
 ;   idle processes:   35
 ;   active processes: 65
 ;   total processes:  100
 ; By default the status page output is formatted as text/plain. Passing either
 ; 'html' or 'json' as a query string will return the corresponding output
 ; syntax. Example:
 ;   http://www.foo.bar/status
 ;   http://www.foo.bar/status?json
 ;   http://www.foo.bar/status?html
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set 
 ;pm.status_path = /status
 
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
 ; - create a graph of FPM availability (rrd or such);
 ; - remove a server from a group if it is not responding (load balancing);
 ; - trigger alerts for the operating team (24/7).
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;ping.path = /ping

 ; This directive may be used to customize the response of a ping request. The
 ; response is formatted as text/plain with a 200 response code.
 ; Default Value: pong
 ;ping.response = pong
 
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_terminate_timeout = 0
 
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_slowlog_timeout = 0
 
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
 slowlog = /media/ephemeral0/log/php-fpm/www-slow.log
 
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
 ;rlimit_files = 1024
 
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 ;rlimit_core = 0
 
 ; Chroot to this directory at the start. This value must be defined as an
 ; absolute path. When this value is not set, chroot is not used.
 ; Note: chrooting is a great security feature and should be used whenever 
 ;       possible. However, all PHP paths will be relative to the chroot
 ;       (error_log, sessions.save_path, ...).
 ; Default Value: not set
 chroot = /var/www/vhosts
 
 ; Chdir to this directory at the start. This value must be an absolute path.
 ; Default Value: current directory or / when chroot
 ;chdir = /var/www
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
 ; Default Value: no
 ;catch_workers_output = yes
 
 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
 ; the current environment.
 ; Default Value: clean env
 ;env[HOSTNAME] = $HOSTNAME
 ;env[PATH] = /usr/local/bin:/usr/bin:/bin
 ;env[TMP] = /tmp
 ;env[TMPDIR] = /tmp
 ;env[TEMP] = /tmp

 ; Additional php.ini defines, specific to this pool of workers. These settings
 ; overwrite the values previously defined in the php.ini. The directives are the
 ; same as the PHP SAPI:
 ;   php_value/php_flag             - you can set classic ini defines which can
 ;                                    be overwritten from PHP call 'ini_set'. 
 ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
 ;                                     PHP call 'ini_set'
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

 ; Defining 'extension' will load the corresponding shared extension from
 ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
 ; overwrite previously defined php.ini values, but will append the new value
 ; instead.

 ; Default Value: nothing is defined by default except the values in php.ini and
 ;                specified at startup with the -d argument
 ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
 php_admin_value[display_errors] = on
 php_admin_value[error_log] = /var/log/php.log
 php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
	#!/bin/sh
	#
	# (c) Copyright by Wolfgang Fuschlberger...
	# Cheaply hacked as a proof of concept by Israel Shirk, December 2013.
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 2 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	# ( http://www.fsf.org/licenses/gpl.txt )
	#####################################################################

	# first Release: 2004-07-30
	RELEASE="2013-12-16"
	#
	# The latest version of the script is available at
	# http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
	#
	# Feedback is welcome!
	#
	# Thanks for Bugfixes / Enhancements to
	# Michael Prokop <http://www.michael-prokop.at/chroot/>,
	# Randy K., Randy D., Jonathan Hunter and everybody else.
	#####################################################################
	#
	# Features:
	# - enable scp and sftp in the chroot-jail
	# - use one directory (default /home/jail/) as chroot for all users
	# - create new accounts
	# - move existing accounts to chroot
	#####################################################################

	# path to sshd's config file: needed for automatic detection of the locaten of
	# the sftp-server binary
	SSHD_CONFIG="/etc/ssh/sshd_config"

	# Check if we are called with username or update
	if [ -z "$1" ] ; then
	echo
	echo "ERROR: Parameter missing. Did you forget the username?"
	echo "-------------------------------------------------------------"
	echo
	echo "USAGE:"
	echo "Create new chrooted account or"
	echo "add existing User to chroot-jail:"
	echo "-> $0 username"
	echo
	echo "or specify the chroot-shell file and path where the jail should be located:"
	echo "-> $0 username [/path/to/chroot-shell [/path/to/jail]]"
	echo "Default shell = /bin/chroot-shell"
	echo "Default chroot-path = /home/jail"
	echo "-------------------------------------------------------------"
	echo
	echo "Updating files in the chroot-jail:"
	echo "-> $0 update [/path/to/chroot-shell [/path/to/jail]]"
	echo "-------------------------------------------------------------"
	echo
	echo "To uninstall:"
	echo " # userdel \$USER"
	echo " # rm -rf /home/jail"
	echo " (this deletes all Users' files!)"
	echo " # rm -f /bin/chroot-shell"
	echo " manually delete the User's line from /etc/sudoers"
	echo
	echo "Missing features: Should be able to switch off extra services + binaries that are unused."
	echo
	echo "\!Needs checks on various PHP features that integrate with DSO'S and external configs - like OpenSSL."
	echo "I've quoted stuff a little better than the previous version, but only on changed code"
	echo "so don't feed arbitrary input to it or use when paths outside the chroot could have interesting characters"
	echo "in them."
	echo
	echo "Ideally, you'd just use this to make a template, then cp -la <template> <dest>"


	exit
	fi

	if [ -z "$PATH" ] ; then
	PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
	fi

	echo
	echo Release: $RELEASE
	echo

	echo "Am I root? "
	if [ "$(whoami &2>/dev/null)" != "root" ] && [ "$(id -un &2>/dev/null)" != "root" ] ; then
	echo " NO!

	Error: You must be root to run this script."
	exit 1
	fi
	echo " OK";

	# Check existence of necessary files
	echo "Checking distribution... "
	if [ -f /etc/debian_version ];
	then echo " Supported Distribution found"
	echo " System is running Debian Linux"
	DISTRO=DEBIAN;
	elif [ -f /etc/SuSE-release ];
	then echo " Supported Distribution found"
	echo " System is running SuSE Linux"
	DISTRO=SUSE;
	elif [ -f /etc/fedora-release ];
	then echo " Supported Distribution found"
	echo " System is running Fedora Linux"
	DISTRO=FEDORA;
	elif [ -f /etc/redhat-release ];
	then echo " Supported Distribution found"
	echo " System is running Red Hat Linux"
	DISTRO=REDHAT;
	else echo -e " failed...........\nThis script works best on Debian, Red Hat, Fedora and SuSE Linux!\nLet's try it nevertheless....\nIf some program files cannot be found adjust the respective path in line 98\n"
	#exit 1
	fi

	# Specify the apps you want to copy to the jail
	if [ "$DISTRO" = SUSE ]; then
	APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/netcat /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
	elif [ "$DISTRO" = FEDORA ]; then
	APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
	elif [ "$DISTRO" = REDHAT ]; then
	APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
	elif [ "$DISTRO" = DEBIAN ]; then
	APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
	else
	APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /usr/sbin/unix_chkpwd"
	fi

	# Check existence of necessary files
	echo "Checking for which... "
	#if [ -f $(which which) ] ;
	# not good because if which does not exist I look for an
	# empty filename and get OK nevertheless
	if ( test -f /usr/bin/which ) \|\| ( test -f /bin/which ) \|\| ( test -f /sbin/which ) \|\| ( test -f /usr/sbin/which );
	then echo " OK";
	else echo " failed

	Please install which-binary!
	"
	exit 1
	fi

	echo "Checking for chroot..."
	if [ `which chroot` ];
	then echo " OK";
	else echo " failed

	chroot not found!
	Please install chroot-package/binary!
	"
	exit 1
	fi

	echo "Checking for sudo..."
	if [ `which sudo` ]; then
	echo " OK";
	else
	echo " failed

	sudo not found!
	Please install sudo-package/binary!
	"
	exit 1
	fi

	echo "Checking for dirname..."
	if [ `which dirname` ]; then
	echo " OK";
	else
	echo " failed

	dirname not found!
	Please install dirname-binary (to be found eg in the package coreutils)!
	"
	exit 1
	fi

	echo "Checking for awk..."
	if [ `which awk` ]; then
	echo " OK
	";
	else
	echo " failed

	awk not found!
	Please install (g)awk-package/binary!
	"
	exit 1
	fi

	function link_copy() {
	echo "Copying $1 to $2/$1"
	# If it's a directory, create it and return
	# echo rsync -avz -H --numeric-ids "$1" "$2/$1"
	#
	if [ ! -d "`dirname $2/$1`" ]; then
	mkdir -p "`dirname \"$2/$1\"`"
	fi

	cp -ald "$1" "$2/$1" >& /dev/null

	if [ $? -ne 0 ]; then
	cp -a -d "$1" "$2/$1"
	fi
	}

	# get location of sftp-server binary from /etc/ssh/sshd_config
	# check for existence of /etc/ssh/sshd_config and for
	# (uncommented) line with sftp-server filename. If neither exists, just skip
	# this step and continue without sftp-server
	#
	#if (test ! -f /etc/ssh/sshd_config &> /dev/null); then
	# echo "
	#File /etc/ssh/sshd_config not found.
	#Not checking for path to sftp-server.
	# ";
	#else
	if [ ! -f ${SSHD_CONFIG} ]
	then
	echo "File ${SSHD_CONFIG} not found."
	echo "Not checking for path to sftp-server."
	echo "Please adjust the global \$SSHD_CONFIG variable"
	else
	if !(grep -v "^#" ${SSHD_CONFIG} \| grep -i sftp-server &> /dev/null); then
	echo "Obviously no sftp-server is running on this system.
	";
	else SFTP_SERVER=$(grep -v "^#" ${SSHD_CONFIG} \| grep -i sftp-server \| awk '{ print $3}')
	fi
	fi

	OPENSSL="`ls /usr/lib64/openssl/engines/lib*so`"
	PHP_FPM="`ls /usr/sbin/php-fpm`"
	PHP="`ls /usr/bin/php` `ls /usr/lib64/php/modules/so` `ls /usr/lib64/libmysql*so`"

	#if !(grep -v "^#" /etc/ssh/sshd_config \| grep -i sftp-server /etc/ssh/sshd_config \| awk '{ print $3}' &> /dev/null); then
	APPS="$APPS $SFTP_SERVER $PHP_FPM $PHP $OPENSSL"

	# Get accountname to create / move
	CHROOT_USERNAME=$1

	if ! [ -z "$2" ] ; then
	SHELL=$2
	else
	SHELL=/bin/chroot-shell
	fi

	if ! [ -z "$3" ] ; then
	JAILPATH=$3
	else
	JAILPATH=/var/www/vhosts/
	fi

	# Exit if user already exists
	#id $CHROOT_USERNAME > /dev/null 2>&1 && { echo "User exists."; echo "Exiting."; exit 1; }

	# Check if user already exists and ask for confirmation
	# we have to trust that root knows what she is doing when saying 'yes'
	if ( id $CHROOT_USERNAME > /dev/null 2>&1 ) ; then {
	echo "
	-----------------------------
	User $CHROOT_USERNAME exists.

	Are you sure you want to modify the users home directory and lock him into the
	chroot directory?
	Are you REALLY sure?
	Say only yes if you absolutely know what you are doing!"
	read -p "(yes/no) -> " MODIFYUSER
	if [ "$MODIFYUSER" != "yes" ]; then
	echo "
	Not entered yes. Exiting...."
	exit 1
	fi
	}
	else
	CREATEUSER="yes"
	fi

	# Create $SHELL (shell for jailed accounts)
	if [ -f ${SHELL} ] ; then
	echo "
	-----------------------------
	The file $SHELL exists.
	Probably it was created by this script.

	Are you sure you want to overwrite it?
	(you want to say yes for example if you are running the script for the second
	time when adding more than one account to the jail)"
	read -p "(yes/no) -> " OVERWRITE
	if [ "$OVERWRITE" != "yes" ]; then
	echo "
	Not entered yes. Exiting...."
	exit 1
	fi
	else
	echo "Creating $SHELL"
	echo '#!/bin/sh' > $SHELL
	echo "`which sudo` `which chroot` $JAILPATH /bin/su - \$USER" \"\$@\" >> $SHELL
	chmod 755 $SHELL
	fi

	# make common jail for everybody if inexistent
	if [ ! -d ${JAILPATH} ] ; then
	mkdir -p ${JAILPATH}
	echo "Creating ${JAILPATH}"
	fi
	cd ${JAILPATH}

	if [ -h "${JAILPATH}/lib" ]; then
	rm -f "${JAILPATH}/lib"
	fi

	if [ -h "${JAILPATH}/lib64" ]; then
	rm -f "${JAILPATH}/lib64"
	fi

	# Create directories in jail that do not exist yet
	JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin usr/lib"
	for directory in $JAILDIRS ; do
	if [ ! -d "$JAILPATH/$directory" ] ; then
	mkdir $JAILPATH/"$directory"
	echo "Creating $JAILPATH/$directory"
	fi
	done
	echo

	# Comment in the following lines if your apache can't read the directories and
	# uses the security contexts
	# Fix security contexts so Apache can read files
	#CHCON=$(`which chcon`)
	#if [ -n "$CHCON" ] && [ -x $CHCON ]; then
	# $CHCON -t home_root_t $JAILPATH/home
	# $CHCON -t user_home_dir_t $JAILPATH/home/$CHROOT_USERNAME
	#fi

	# Creating necessary devices
	[ -r $JAILPATH/dev/urandom ] \|\| mknod $JAILPATH/dev/urandom c 1 9
	[ -r $JAILPATH/dev/null ] \|\| mknod -m 666 $JAILPATH/dev/null c 1 3
	[ -r $JAILPATH/dev/zero ] \|\| mknod -m 666 $JAILPATH/dev/zero c 1 5
	[ -r $JAILPATH/dev/tty ] \|\| mknod -m 666 $JAILPATH/dev/tty c 5 0

	# if we only want to update the files in the jail
	# skip the creation of the new account
	if [ "$1" != "update" ]; then

	# Modifiy /etc/sudoers to enable chroot-ing for users
	# must be removed by hand if account is deleted
	echo "Modifying /etc/sudoers"
	echo "$CHROOT_USERNAME ALL=NOPASSWD: `which chroot`, /bin/su - $CHROOT_USERNAME" >> /etc/sudoers

	# Define HomeDir for simple referencing
	HOMEDIR="$JAILPATH/home/$CHROOT_USERNAME"

	# Create new account, setting $SHELL to the above created script and
	# $HOME to $JAILPATH/home/*
	if [ "$CREATEUSER" != "yes" ] ; then echo "
	Not creating new User account
	Modifying User \"$CHROOT_USERNAME\"
	Copying files in $CHROOT_USERNAME's \$HOME to \"$HOMEDIR\"
	"
	usermod -d "$HOMEDIR" -m -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
	fi

	if [ "$CREATEUSER" = "yes" ] ; then {
	echo "Adding User \"$CHROOT_USERNAME\" to system"
	useradd -m -d "$HOMEDIR" -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"

	# Enter password for new account
	# if !(passwd $CHROOT_USERNAME);
	# then echo "Passwords are probably not the same, try again."
	# exit 1;
	# fi
	echo
	}
	fi

	# Create /usr/bin/groups in the jail
	echo "#!/bin/bash" > usr/bin/groups
	echo "id -Gn" >> usr/bin/groups
	chmod 755 usr/bin/groups

	# Add users to etc/passwd
	#
	# check if file exists (ie we are not called for the first time)
	# if yes skip root's entry and do not overwrite the file
	if [ ! -f etc/passwd ] ; then
	grep /etc/passwd -e "^root" > ${JAILPATH}/etc/passwd
	fi
	if [ ! -f etc/group ] ; then
	grep /etc/group -e "^root" > ${JAILPATH}/etc/group
	# add the group for all users to etc/group (otherwise there is a nasty error
	# message and probably because of that changing directories doesn't work with
	# winSCP)
	grep /etc/group -e "^users" >> ${JAILPATH}/etc/group
	fi

	# grep the username which was given to us from /etc/passwd and add it
	# to ./etc/passwd replacing the $HOME with the directory as it will then
	# appear in the jail
	echo "Adding User $CHROOT_USERNAME to jail"
	grep -e "^$CHROOT_USERNAME:" /etc/passwd \| \
	sed -e "s#$JAILPATH##" \
	-e "s#$SHELL#/bin/bash#" >> ${JAILPATH}/etc/passwd

	# if the system uses one account/one group we write the
	# account's group to etc/group
	grep -e "^$CHROOT_USERNAME:" /etc/group >> ${JAILPATH}/etc/group

	# write the user's line from /etc/shadow to /home/jail/etc/shadow
	grep -e "^$CHROOT_USERNAME:" /etc/shadow >> ${JAILPATH}/etc/shadow
	chmod 600 ${JAILPATH}/etc/shadow

	# endif for =! update
	fi

	# Copy the apps and the related libs
	echo "Copying necessary library-files to jail (may take some time)"

	# The original code worked fine on RedHat 7.3, but did not on FC3.
	# On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that
	# points to nothing (or a 90xb.....), and it also does not pick up
	# some files that start with a '/'. To fix this, I am doing the ldd
	# to a file called ldlist, then going back into the file and pulling
	# out the libs that start with '/'
	#
	# Randy K.
	#
	# The original code worked fine on 2.4 kernel systems. Kernel 2.6
	# introduced an internal library called 'linux-gate.so.1'. This
	# 'phantom' library caused non-critical errors to display during the
	# copy since the file does not actually exist on the file system.
	# To fix re-direct output of ldd to a file, parse the file and get
	# library files that start with /
	#

	# create temporary files with mktemp, if that doesn't work for some reason use
	# the old method with $HOME/ldlist[2] (so I don't have to check the existence
	# of the mktemp package / binary at the beginning
	#
	TMPFILE1=`mktemp` &> /dev/null \|\| TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv "${TMPFILE1}" "${TMPFILE1}.bak"; fi
	TMPFILE2=`mktemp` &> /dev/null \|\| TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv "${TMPFILE2}" "${TMPFILE2}.bak"; fi

	for app in $APPS; do
	# First of all, check that this application exists
	if [ -e "$app" ]; then
	# Check that the directory exists; create it if not.
	# app_path=`echo $app \| sed -e 's#\(.\+\)/[^/]\+#\1#'`
	app_path=`dirname $app`
	if ! [ -d ."$app_path" ]; then
	mkdir -p ."$app_path"
	fi

	# If the files in the chroot are on the same file system as the
	# original files you should be able to use hard links instead of
	# copying the files, too. Symbolic links cannot be used, because the
	# original files are outside the chroot.

	link_copy "$app" "${JAILPATH}"
	#if [[ "$app" != /bin/ ]]; then
	# echo "linking $app"
	# ln $app .$app

	# if [ $? -ne 0 ]; then
	# echo "link failed; copying $app"
	# cp -a $app .$app
	# fi
	#fi

	# get list of necessary libraries
	ldd "$app" >> ${TMPFILE1}
	fi
	done

	cat ${TMPFILE1}

	# Clear out any old temporary file before we start
	for libs in `cat "${TMPFILE1}"`; do
	frst_char="`echo $libs \| cut -c1`"
	if [ "$frst_char" = "/" ]; then
	echo "$libs" >> ${TMPFILE2}
	fi
	done

	cat "${TMPFILE2}"

	for lib in `cat "${TMPFILE2}"`; do
	mkdir -p ".`dirname \"$lib\"`" > /dev/null 2>&1

	# If the files in the chroot are on the same file system as the original
	# files you should be able to use hard links instead of copying the files,
	# too. Symbolic links cannot be used, because the original files are
	# outside the chroot.
	# if [[ "$lib" != /bin/ ]]; then
	# echo "linking $lib"
	# ln "$lib" ".$lib"
	#
	# if [ $? -ne 0 ]; then
	# echo "link failed; copying $lib"
	# cp -a $lib .$lib
	# fi
	# fi
	#

	link_copy "$lib" "${JAILPATH}"
	done

	#
	# Now, cleanup the 2 files we created for the library list
	#
	#/bin/rm -f ${HOME}/ldlist
	#/bin/rm -f ${HOME}/ldlist2
	/bin/rm -f "${TMPFILE1}"
	/bin/rm -f "${TMPFILE2}"

	# Necessary files that are not listed by ldd.
	#
	# There might be errors because of files that do not exist but in the end it
	# may work nevertheless (I added new file names at the end without deleting old
	# ones for reasons of backward compatibility).
	# So please test ssh/scp before reporting a bug.
	if [ "$DISTRO" = SUSE ]; then
	cp /lib/libnss_compat.so.2 /lib/libnss_files.so.2 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
	elif [ "$DISTRO" = FEDORA ]; then
	cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-ldb.so.3 /lib/ld-lsb.so.3 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
	cp /lib/. ${JAILPATH}/lib/
	cp /usr/lib/libcrack.so.2 ${JAILPATH}/usr/lib/
	elif [ "$DISTRO" = REDHAT ]; then
	cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-lsb.so.1 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
	# needed for scp on RHEL
	echo "export LD_LIBRARY_PATH=/usr/kerberos/lib" >> ${JAILPATH}/etc/profile
	elif [ "$DISTRO" = DEBIAN ]; then
	cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/
	else
	cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/
	fi

	# if you are using a 64 bit system and have strange problems with login comment
	# the following lines in, perhaps it works then (motto: if you can't find the
	# needed library just copy all of them)
	#
	#cp /lib/. ${JAILPATH}/lib/
	#cp /lib/lib64/. ${JAILPATH}/lib/lib64/

	# if you are using PAM you need stuff from /etc/pam.d/ in the jail,
	echo "Copying files from /etc/pam.d/ to jail"
	link_copy "/etc/pam.d" "${JAILPATH}"

	# ...and of course the PAM-modules...
	echo "Copying PAM-Modules to jail"
	# cp -a /lib/security ${JAILPATH}/lib/
	link_copy "/lib/security" "${JAILPATH}"
	link_copy "/lib64/security" "${JAILPATH}"

	# ...and something else useful for PAM
	#cp -a /etc/security ${JAILPATH}/etc/
	link_copy "/etc/security" "${JAILPATH}"
	#cp /etc/login.defs ${JAILPATH}/etc/
	link_copy "/etc/login.defs" "${JAILPATH}"
	link_copy "/usr/share/zoneinfo" "${JAILPATH}"

	if [ -f /etc/DIR_COLORS ] ; then
	link_copy "/etc/DIR_COLORS" "${JAILPATH}"
	# cp /etc/DIR_COLORS ${JAILPATH}/etc/
	fi

	set -x

	if [ -h "/lib" ]; then
	mkdir -p "${JAILPATH}/usr/lib"
	mv ${JAILPATH}/lib/* "${JAILPATH}/usr/lib/"
	rm -rf "${JAILPATH}/lib"
	ln -s /usr/lib "${JAILPATH}/lib"
	fi

	if [ -h "/lib64" ]; then
	mkdir -p "${JAILPATH}/usr/lib64"
	mv ${JAILPATH}/lib64/* "${JAILPATH}/usr/lib64/"
	rm -rf "${JAILPATH}/lib64"
	ln -s /usr/lib64 "${JAILPATH}/lib64"
	fi

	# Don't give more permissions than necessary
	chown root.root ${JAILPATH}/bin/su
	chmod 700 ${JAILPATH}/bin/su

	exit
	# Only includes fastcgi-specific section.

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ \.php$ {
	# Zero-day exploit defense.
	# http://forum.nginx.org/read.php?2,88845,page=3
	# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
	# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
	try_files $uri =404;

	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

	include fastcgi_params;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name;
	fastcgi_pass 127.0.0.1:9000;
	}
	; Start a new pool named 'www'.
	[www]

	; The address on which to accept FastCGI requests.
	; Valid syntaxes are:
	; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
	; a specific port;
	; 'port' - to listen on a TCP socket to all addresses on a
	; specific port;
	; '/path/to/unix/socket' - to listen on a unix socket.
	; Note: This value is mandatory.
	listen = 127.0.0.1:9000

	; Set listen(2) backlog. A value of '-1' means unlimited.
	; Default Value: -1
	;listen.backlog = -1

	; List of ipv4 addresses of FastCGI clients which are allowed to connect.
	; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
	; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
	; must be separated by a comma. If this value is left blank, connections will be
	; accepted from any ip address.
	; Default Value: any
	listen.allowed_clients = 127.0.0.1

	; Set permissions for unix socket, if one is used. In Linux, read/write
	; permissions must be set in order to allow connections from a web server. Many
	; BSD-derived systems allow connections regardless of permissions.
	; Default Values: user and group are set as the running user
	; mode is set to 0666
	;listen.owner = nobody
	;listen.group = nobody
	;listen.mode = 0666

	; Unix user/group of processes
	; Note: The user is mandatory. If the group is not set, the default user's group
	; will be used.
	; RPM: apache Choosed to be able to access some dir as httpd
	user = jailly
	; RPM: Keep a group allowed to write in log dir.
	group = jailly

	; Choose how the process manager will control the number of child processes.
	; Possible Values:
	; static - a fixed number (pm.max_children) of child processes;
	; dynamic - the number of child processes are set dynamically based on the
	; following directives:
	; pm.max_children - the maximum number of children that can
	; be alive at the same time.
	; pm.start_servers - the number of children created on startup.
	; pm.min_spare_servers - the minimum number of children in 'idle'
	; state (waiting to process). If the number
	; of 'idle' processes is less than this
	; number then some children will be created.
	; pm.max_spare_servers - the maximum number of children in 'idle'
	; state (waiting to process). If the number
	; of 'idle' processes is greater than this
	; number then some children will be killed.
	; Note: This value is mandatory.
	pm = dynamic
	c
	; The number of child processes to be created when pm is set to 'static' and the
	; maximum number of child processes to be created when pm is set to 'dynamic'.
	; This value sets the limit on the number of simultaneous requests that will be
	; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
	; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
	; CGI.
	; Note: Used when pm is set to either 'static' or 'dynamic'
	; Note: This value is mandatory.
	pm.max_children = 12

	; The number of child processes created on startup.
	; Note: Used only when pm is set to 'dynamic'
	; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
	pm.start_servers = 1

	; The desired minimum number of idle server processes.
	; Note: Used only when pm is set to 'dynamic'
	; Note: Mandatory when pm is set to 'dynamic'
	pm.min_spare_servers = 1

	; The desired maximum number of idle server processes.
	; Note: Used only when pm is set to 'dynamic'
	; Note: Mandatory when pm is set to 'dynamic'
	pm.max_spare_servers = 8

	; The number of requests each child process should execute before respawning.
	; This can be useful to work around memory leaks in 3rd party libraries. For
	; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
	; Default Value: 0
	pm.max_requests = 30

	; The URI to view the FPM status page. If this value is not set, no URI will be
	; recognized as a status page. By default, the status page shows the following
	; information:
	; accepted conn - the number of request accepted by the pool;
	; pool - the name of the pool;
	; process manager - static or dynamic;
	; idle processes - the number of idle processes;
	; active processes - the number of active processes;
	; total processes - the number of idle + active processes.
	; The values of 'idle processes', 'active processes' and 'total processes' are
	; updated each second. The value of 'accepted conn' is updated in real time.
	; Example output:
	; accepted conn: 12073
	; pool: www
	; process manager: static
	; idle processes: 35
	; active processes: 65
	; total processes: 100
	; By default the status page output is formatted as text/plain. Passing either
	; 'html' or 'json' as a query string will return the corresponding output
	; syntax. Example:
	; http://www.foo.bar/status
	; http://www.foo.bar/status?json
	; http://www.foo.bar/status?html
	; Note: The value must start with a leading slash (/). The value can be
	; anything, but it may not be a good idea to use the .php extension or it
	; may conflict with a real PHP file.
	; Default Value: not set
	;pm.status_path = /status

	; The ping URI to call the monitoring page of FPM. If this value is not set, no
	; URI will be recognized as a ping page. This could be used to test from outside
	; that FPM is alive and responding, or to
	; - create a graph of FPM availability (rrd or such);
	; - remove a server from a group if it is not responding (load balancing);
	; - trigger alerts for the operating team (24/7).
	; Note: The value must start with a leading slash (/). The value can be
	; anything, but it may not be a good idea to use the .php extension or it
	; may conflict with a real PHP file.
	; Default Value: not set
	;ping.path = /ping

	; This directive may be used to customize the response of a ping request. The
	; response is formatted as text/plain with a 200 response code.
	; Default Value: pong
	;ping.response = pong

	; The timeout for serving a single request after which the worker process will
	; be killed. This option should be used when the 'max_execution_time' ini option
	; does not stop script execution for some reason. A value of '0' means 'off'.
	; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
	; Default Value: 0
	;request_terminate_timeout = 0

	; The timeout for serving a single request after which a PHP backtrace will be
	; dumped to the 'slowlog' file. A value of '0s' means 'off'.
	; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
	; Default Value: 0
	;request_slowlog_timeout = 0

	; The log file for slow requests
	; Default Value: not set
	; Note: slowlog is mandatory if request_slowlog_timeout is set
	slowlog = /media/ephemeral0/log/php-fpm/www-slow.log

	; Set open file descriptor rlimit.
	; Default Value: system defined value
	;rlimit_files = 1024

	; Set max core size rlimit.
	; Possible Values: 'unlimited' or an integer greater or equal to 0
	; Default Value: system defined value
	;rlimit_core = 0

	; Chroot to this directory at the start. This value must be defined as an
	; absolute path. When this value is not set, chroot is not used.
	; Note: chrooting is a great security feature and should be used whenever
	; possible. However, all PHP paths will be relative to the chroot
	; (error_log, sessions.save_path, ...).
	; Default Value: not set
	chroot = /var/www/vhosts

	; Chdir to this directory at the start. This value must be an absolute path.
	; Default Value: current directory or / when chroot
	;chdir = /var/www

	; Redirect worker stdout and stderr into main error log. If not set, stdout and
	; stderr will be redirected to /dev/null according to FastCGI specs.
	; Default Value: no
	;catch_workers_output = yes

	; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
	; the current environment.
	; Default Value: clean env
	;env[HOSTNAME] = $HOSTNAME
	;env[PATH] = /usr/local/bin:/usr/bin:/bin
	;env[TMP] = /tmp
	;env[TMPDIR] = /tmp
	;env[TEMP] = /tmp

	; Additional php.ini defines, specific to this pool of workers. These settings
	; overwrite the values previously defined in the php.ini. The directives are the
	; same as the PHP SAPI:
	; php_value/php_flag - you can set classic ini defines which can
	; be overwritten from PHP call 'ini_set'.
	; php_admin_value/php_admin_flag - these directives won't be overwritten by
	; PHP call 'ini_set'
	; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

	; Defining 'extension' will load the corresponding shared extension from
	; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
	; overwrite previously defined php.ini values, but will append the new value
	; instead.

	; Default Value: nothing is defined by default except the values in php.ini and
	; specified at startup with the -d argument
	;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
	php_admin_value[display_errors] = on
	php_admin_value[error_log] = /var/log/php.log
	php_admin_flag[log_errors] = on
	;php_admin_value[memory_limit] = 32M