LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to jail a process in his repertory ? (http://www.linuxquestions.org/questions/linux-security-4/how-to-jail-a-process-in-his-repertory-918378/)

Debian 12-12-2011 03:39 PM

How to jail a process in his repertory ?
 
Hi all,

I want to jail a process in his folder, so he can't have any link with a parent folder.

Ex. If i'm a hacker, and I can upload my script & and I can start it, i'll could go to ../, /etc/passwd, etc..

So what I did is to chroot the process :

I copied all libraries used by the process in his repertory, and then i did :

Code:

chroot /repertory/to/process ./myprocess
But... my process can still view parent folders...

How to do it ?

Thank you very much, and sorry for my bad english :)

eSelix 12-12-2011 04:05 PM

Can you explain how your process view parent folders? Are you using some tricks, maybe hardlinks (they are not "jailed") or just normal operation? chroot is not very secure if you want separate environment for your process.

Maybe you will be interested about lxc (linux containers), which has better separation from real system and is more configurable.

Debian 12-12-2011 04:41 PM

I use a simple C or Shell program, that will list the parent folder.

I mean, for example, in a shell script :

Code:

ls ../ # Here the hacker can view all the files that he shouldn't be able to view
But yes, i'll take a look about lxc.

But is it good for hosting ?
Because what I want to do is to host some friends (3~4), so I don't wan't to have many users, groups, etc. for each friends to host.

eSelix 12-12-2011 04:49 PM

So, it is something wrong here. Are you sure your program is running inside a chroot? Can you copy and paste here your chroot command and its output?

Quote:

But is it good for hosting ?
Sorry, but I don't known what you mean by "hosting". It is generally better then chroot, but also more complicated (it needs preparation, proper permissions, correct kernel) you should read about it, but I think that chroot will be sufficient for you - when you finally solve this problem.

Cedrik 12-12-2011 05:02 PM

For web hosting, you have to set httpd directories in main server or virtual hosts
Also see ftp servers config

Debian 12-12-2011 05:14 PM

No, I meant games hosting, sorry.

So here is the command (executed by root)

chroot /home/usr/xxx/ ./myprocess

In the process I placed a script that will call another script in the same repertory to print the result of "ls ../", and it was working.

eSelix 12-12-2011 05:28 PM

Sorry I don't have ideas, but it shouldn't behave like this. Can you check what you get when running in turn:
Code:

cd /home/usr/xxx
chroot /home/usr/xxx/
pwd
./myprocess

Is effect the same? What "pwd" printed? Also are you sure that this "ls .." is showing files outside your chroot?

Cedrik 12-12-2011 05:48 PM

[edit] sorry, I see your concern about hackers uploading script potential ability

I don't know what is a game hosting anyway :p

Debian 12-12-2011 06:01 PM

Oh, it works with the cmd you gave me. How to use it, but in 1 line only ?

eSelix 12-12-2011 06:11 PM

Maybe you need to change directory to "/home/usr/xxx" before chroot, this is necessary to chroot work properly. But I always thinked that this is done by "chroot" command. Check this. Also can you write what distribution and version you have?

If you need one line use semicolons ";" to separate commands or make script for this.

Debian 12-13-2011 02:41 PM

Okay, now I need to start my process into a screen, but here what I get when I type screen when chrooted :

getpwuid() can't identify your account!

How can I do to make it indentify my account ?

EDIT :
Ok, so what I did was :

I made a bash script :

Code:

#!/bin/bash

cd /home/my/repertory
chroot . ./my_process

This doesn't work. My screen close instantly after been started.

Then i did :

Code:

#!/bin/bash

cd /home/my/repertory
chroot .
./my_process

But here, all cmds executed after chroot . isn't called.

How can I do that ?

eSelix 12-13-2011 04:38 PM

Quote:

getpwuid() can't identify your account!
How can I do to make it indentify my account ?
Sorry, I don't known what this message means. Probably you did not copied sufficient data to chroot environment (/etc/passwd, /var/log/utmp, /dev... etcetera). Anyway, why you use "screen" if you only want to run a game server?

Quote:

But here, all cmds executed after chroot . isn't called.
This will not work as you expected. When you execute chroot, the shell or other program is started and waiting. After it quits, then next lines of this script will be executed. So you must run your program as chroot argument.

Quote:

I made a bash script :

#!/bin/bash
cd /home/my/repertory
chroot . ./my_process

This doesn't work. My screen close instantly after been started.
You did not mentioned and I don't known now. Can you specify. If this script work without "screen"? And you have only problem with screen executed into chrooted environment?

Debian 12-14-2011 10:55 AM

Ok, I did it.
Thank you for your answers, here is how I did :

Script in /home/script :

Code:

cd /home/my/chrooted/environment/
chroot . ./script_chrooted.sh


script_chrooted.sh :

Code:

cd /another/repertory/in/chrooted/env/
screen -dmS my_process ./my_process

And this works fine.

Thank you !!


All times are GMT -5. The time now is 12:38 PM.