LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-12-2011, 02:39 PM   #1
Debian
LQ Newbie
 
Registered: Dec 2011
Posts: 6

Rep: Reputation: Disabled
How to jail a process in his repertory ?


Hi all,

I want to jail a process in his folder, so he can't have any link with a parent folder.

Ex. If i'm a hacker, and I can upload my script & and I can start it, i'll could go to ../, /etc/passwd, etc..

So what I did is to chroot the process :

I copied all libraries used by the process in his repertory, and then i did :

Code:
chroot /repertory/to/process ./myprocess
But... my process can still view parent folders...

How to do it ?

Thank you very much, and sorry for my bad english
 
Old 12-12-2011, 03:05 PM   #2
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,221

Rep: Reputation: 307Reputation: 307Reputation: 307Reputation: 307
Can you explain how your process view parent folders? Are you using some tricks, maybe hardlinks (they are not "jailed") or just normal operation? chroot is not very secure if you want separate environment for your process.

Maybe you will be interested about lxc (linux containers), which has better separation from real system and is more configurable.

Last edited by eSelix; 12-12-2011 at 03:06 PM.
 
Old 12-12-2011, 03:41 PM   #3
Debian
LQ Newbie
 
Registered: Dec 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
I use a simple C or Shell program, that will list the parent folder.

I mean, for example, in a shell script :

Code:
ls ../ # Here the hacker can view all the files that he shouldn't be able to view
But yes, i'll take a look about lxc.

But is it good for hosting ?
Because what I want to do is to host some friends (3~4), so I don't wan't to have many users, groups, etc. for each friends to host.
 
Old 12-12-2011, 03:49 PM   #4
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,221

Rep: Reputation: 307Reputation: 307Reputation: 307Reputation: 307
So, it is something wrong here. Are you sure your program is running inside a chroot? Can you copy and paste here your chroot command and its output?

Quote:
But is it good for hosting ?
Sorry, but I don't known what you mean by "hosting". It is generally better then chroot, but also more complicated (it needs preparation, proper permissions, correct kernel) you should read about it, but I think that chroot will be sufficient for you - when you finally solve this problem.

Last edited by eSelix; 12-12-2011 at 04:08 PM.
 
Old 12-12-2011, 04:02 PM   #5
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
For web hosting, you have to set httpd directories in main server or virtual hosts
Also see ftp servers config
 
Old 12-12-2011, 04:14 PM   #6
Debian
LQ Newbie
 
Registered: Dec 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
No, I meant games hosting, sorry.

So here is the command (executed by root)

chroot /home/usr/xxx/ ./myprocess

In the process I placed a script that will call another script in the same repertory to print the result of "ls ../", and it was working.
 
Old 12-12-2011, 04:28 PM   #7
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,221

Rep: Reputation: 307Reputation: 307Reputation: 307Reputation: 307
Sorry I don't have ideas, but it shouldn't behave like this. Can you check what you get when running in turn:
Code:
cd /home/usr/xxx
chroot /home/usr/xxx/
pwd
./myprocess
Is effect the same? What "pwd" printed? Also are you sure that this "ls .." is showing files outside your chroot?
 
Old 12-12-2011, 04:48 PM   #8
Cedrik
Senior Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 2,140

Rep: Reputation: 242Reputation: 242Reputation: 242
[edit] sorry, I see your concern about hackers uploading script potential ability

I don't know what is a game hosting anyway

Last edited by Cedrik; 12-12-2011 at 04:52 PM.
 
Old 12-12-2011, 05:01 PM   #9
Debian
LQ Newbie
 
Registered: Dec 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Oh, it works with the cmd you gave me. How to use it, but in 1 line only ?
 
Old 12-12-2011, 05:11 PM   #10
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,221

Rep: Reputation: 307Reputation: 307Reputation: 307Reputation: 307
Maybe you need to change directory to "/home/usr/xxx" before chroot, this is necessary to chroot work properly. But I always thinked that this is done by "chroot" command. Check this. Also can you write what distribution and version you have?

If you need one line use semicolons ";" to separate commands or make script for this.
 
Old 12-13-2011, 01:41 PM   #11
Debian
LQ Newbie
 
Registered: Dec 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Okay, now I need to start my process into a screen, but here what I get when I type screen when chrooted :

getpwuid() can't identify your account!

How can I do to make it indentify my account ?

EDIT :
Ok, so what I did was :

I made a bash script :

Code:
#!/bin/bash

cd /home/my/repertory
chroot . ./my_process
This doesn't work. My screen close instantly after been started.

Then i did :

Code:
#!/bin/bash

cd /home/my/repertory
chroot .
./my_process
But here, all cmds executed after chroot . isn't called.

How can I do that ?

Last edited by Debian; 12-13-2011 at 02:21 PM.
 
Old 12-13-2011, 03:38 PM   #12
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,221

Rep: Reputation: 307Reputation: 307Reputation: 307Reputation: 307
Quote:
getpwuid() can't identify your account!
How can I do to make it indentify my account ?
Sorry, I don't known what this message means. Probably you did not copied sufficient data to chroot environment (/etc/passwd, /var/log/utmp, /dev... etcetera). Anyway, why you use "screen" if you only want to run a game server?

Quote:
But here, all cmds executed after chroot . isn't called.
This will not work as you expected. When you execute chroot, the shell or other program is started and waiting. After it quits, then next lines of this script will be executed. So you must run your program as chroot argument.

Quote:
I made a bash script :

#!/bin/bash
cd /home/my/repertory
chroot . ./my_process

This doesn't work. My screen close instantly after been started.
You did not mentioned and I don't known now. Can you specify. If this script work without "screen"? And you have only problem with screen executed into chrooted environment?
 
Old 12-14-2011, 09:55 AM   #13
Debian
LQ Newbie
 
Registered: Dec 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thumbs up

Ok, I did it.
Thank you for your answers, here is how I did :

Script in /home/script :

Code:
cd /home/my/chrooted/environment/
chroot . ./script_chrooted.sh

script_chrooted.sh :

Code:
cd /another/repertory/in/chrooted/env/
screen -dmS my_process ./my_process
And this works fine.

Thank you !!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Chroot jail or Root jail bayprince Linux - Newbie 3 07-25-2011 07:43 PM
[SOLVED] chroot jail problem: 'empty' jail MatrixS_Master Linux - Security 4 03-27-2010 06:25 AM
Jail user to run process tanveer Linux - Security 1 06-02-2009 09:51 PM
IMAP Jail FinnNetworks Linux - Software 0 03-08-2004 02:08 PM
Jail? Hoops66 *BSD 1 09-11-2003 06:45 AM


All times are GMT -5. The time now is 09:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration