LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-30-2009, 06:31 AM   #1
narendra1310
Member
 
Registered: May 2008
Posts: 41

Rep: Reputation: 15
Question Run in the jail as a non-root user ?


I constructed newroot directory and run this command [ /usr/sbin/chroot /path-to-newroot/ apache/bin/httpd -k start] as root user and it was working fine.

But
I want to run my apache-server inside chrootJail as a non-root user for security reasons.

Here is the link I followed steps to do :

http://unixwiz.net/techtips/chroot-practices.html

* Run in the jail as a non-root user
* Limit non-jail running of jailed binaries

For systems that do not have a command-line option for running chroot, the only alternative is to create a wrapper program. This wrapper will perform the key chroot operation, give up root permission, and then execute the jailed binary.

The wrapper must be run as root (only chroot can perform this operation), but the wrapper itself must not be found in the jail.

++++++++++++++++++++
My Wrapper program.
++++++++++++++++++++
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pwd.h>

int showList(const char *path)
{
DIR *dir;
struct dirent *ent;
dir = opendir(path);
if (dir != NULL)
{
printf ("#####Sub-Directories And Files Under newroot#####///\n");
while ((ent = readdir (dir)) != NULL)
{
printf ("%s ", ent->d_name);
}
printf ("\n");
closedir(dir);
}
else
{
printf ("ERROR open with dir \n");
perror ("dir");
}
}

int main()
{
char *path;
path = (char *)malloc(100);

printf("parent process\n");

/*change directory to newroot*/
printf("chdir=%d\n",chdir("/home/test/builds/server/sgchroot"));

/*chrooting the newroot*/
printf("chrt=%d\n",chroot("/home/test/builds/server/sgchroot"));

/*setting uid of the test [non-root user] with its uid=500 */
setuid(500);

if(!fork())
{
printf("\nchild process\n");

/*setting uid of the test [non-root user] with its uid=500 */
setuid(500);

/*Get uid's status of a child process*/
printf("uid :: %d\teuid :: %d\n",getuid(),geteuid());

/*get current working directory i.e. newroot as "/"*/
memset(path,0,100);
getcwd(path,100);
path[strlen(path)]='\0';
printf("cwd :: %s\n",path);

/*show the list of derectories under newroot "/"*/
showList(path);

/* Executing the binary as test [non-root user]*/
printf("system() :: %d\n",system("./apache/bin/httpd -k start"));
}
}

+++++++
Result:
+++++++
parent process
chdir :: 0
chrt :: 0

child process
uid :: 500 euid :: 500
cwd :: /
#####Sub-Directories And Files Under newroot#####///
dev usr data php etc tmp .odbc.ini htmlgui .. apache . lib readme.html .createsgchroot.sh gd
system() :: 32512

?????????????????????????????????????????????????????????????????

But still I am unable to start apache inside the chrootJail. syscall system() throws some numeric value. what is this value.

Is there any changes need to be done to my wrapper program to work in order to execute jailed apache binary as a non-root user OR the way i done it was wrong ?.

"""""""" Please suggest me with some good solution """"""

Thanks in Advance
 
Old 10-30-2009, 11:17 AM   #2
narendra1310
Member
 
Registered: May 2008
Posts: 41

Original Poster
Rep: Reputation: 15
Smile

I got solution for the above requirement:

Above shown wrapper program will run successfully if /bin/sh available inside newroot directory. Because without /bin/sh syscall system() will not work.

And now I can run my binary inside chroot as a non-root user.

That its..!!!!!!
Story completed..

Last edited by narendra1310; 10-30-2009 at 11:19 AM.
 
Old 10-30-2009, 02:39 PM   #3
themanwhowas
Member
 
Registered: Nov 2005
Distribution: CentOS 5, Fedora 23
Posts: 216

Rep: Reputation: 29
congratulations
 
Old 10-31-2009, 11:33 AM   #4
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 675

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by narendra1310 View Post
I got solution for the above requirement:

Above shown wrapper program will run successfully if /bin/sh available inside newroot directory. Because without /bin/sh syscall system() will not work.

And now I can run my binary inside chroot as a non-root user.

That its..!!!!!!
Story completed..
You can use execve instead of system. Then you don't need /bin/sh in the jail
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to allow access to some commands having root privleges to be run bu non root user suryashikha Linux - Newbie 8 10-31-2009 02:05 PM
Jail user to run process tanveer Linux - Security 1 06-02-2009 10:51 PM
Gconf-editor settings not sticking for root, sudo user, or user when run sandaili Fedora 1 07-19-2008 09:31 AM
How can I have a script owned as root and run as root by a user: setuid? stickey bit? abefroman Linux - Newbie 9 04-19-2008 06:15 PM
why lftp command run failed when user isn't root, but ok when logining as root steven_yu Linux - Software 0 06-06-2007 09:36 PM


All times are GMT -5. The time now is 08:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration