Run in the jail as a non-root user ?
 

I constructed newroot directory and run this command [ /usr/sbin/chroot /path-to-newroot/ apache/bin/httpd -k start] as root user and it was working fine.

But
I want to run my apache-server inside chrootJail as a non-root user for security reasons.

Here is the link I followed steps to do :

http://unixwiz.net/techtips/chroot-practices.html

* Run in the jail as a non-root user
* Limit non-jail running of jailed binaries

For systems that do not have a command-line option for running chroot, the only alternative is to create a wrapper program. This wrapper will perform the key chroot operation, give up root permission, and then execute the jailed binary.

The wrapper must be run as root (only chroot can perform this operation), but the wrapper itself must not be found in the jail.

++++++++++++++++++++
My Wrapper program.
++++++++++++++++++++
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <pwd.h>

int showList(const char *path)
{
DIR *dir;
struct dirent *ent;
dir = opendir(path);
if (dir != NULL)
{
printf ("#####Sub-Directories And Files Under newroot#####///\n");
while ((ent = readdir (dir)) != NULL)
{
printf ("%s ", ent->d_name);
}
printf ("\n");
closedir(dir);
}
else
{
printf ("ERROR open with dir \n");
perror ("dir");
}
}

int main()
{
char *path;
path = (char *)malloc(100);

printf("parent process\n");

/*change directory to newroot*/
printf("chdir=%d\n",chdir("/home/test/builds/server/sgchroot"));

/*chrooting the newroot*/
printf("chrt=%d\n",chroot("/home/test/builds/server/sgchroot"));

/*setting uid of the test [non-root user] with its uid=500 */
setuid(500);

if(!fork())
{
printf("\nchild process\n");

/*setting uid of the test [non-root user] with its uid=500 */
setuid(500);

/*Get uid's status of a child process*/
printf("uid :: %d\teuid :: %d\n",getuid(),geteuid());

/*get current working directory i.e. newroot as "/"*/
memset(path,0,100);
getcwd(path,100);
path[strlen(path)]='\0';
printf("cwd :: %s\n",path);

/*show the list of derectories under newroot "/"*/
showList(path);

/* Executing the binary as test [non-root user]*/
printf("system() :: %d\n",system("./apache/bin/httpd -k start"));
}
}

+++++++
Result:
+++++++
parent process
chdir :: 0
chrt :: 0

child process
uid :: 500 euid :: 500
cwd :: /
#####Sub-Directories And Files Under newroot#####///
dev usr data php etc tmp .odbc.ini htmlgui .. apache . lib readme.html .createsgchroot.sh gd
system() :: 32512

?????????????????????????????????????????????????????????????????

But still I am unable to start apache inside the chrootJail. syscall system() throws some numeric value. what is this value.

Is there any changes need to be done to my wrapper program to work in order to execute jailed apache binary as a non-root user OR the way i done it was wrong ?.

"""""""" Please suggest me with some good solution """"""

Thanks in Advance

I got solution for the above requirement:

Above shown wrapper program will run successfully if /bin/sh available inside newroot directory. Because without /bin/sh syscall system() will not work.

And now I can run my binary inside chroot as a non-root user.

That its..!!!!!!
Story completed..

congratulations

You can use execve instead of system. Then you don't need /bin/sh in the jail