How to jail a process in his repertory ?
Hi all,
I want to jail a process in his folder, so he can't have any link with a parent folder. Ex. If i'm a hacker, and I can upload my script & and I can start it, i'll could go to ../, /etc/passwd, etc.. So what I did is to chroot the process : I copied all libraries used by the process in his repertory, and then i did : Code:
chroot /repertory/to/process ./myprocess How to do it ? Thank you very much, and sorry for my bad english :) |
Can you explain how your process view parent folders? Are you using some tricks, maybe hardlinks (they are not "jailed") or just normal operation? chroot is not very secure if you want separate environment for your process.
Maybe you will be interested about lxc (linux containers), which has better separation from real system and is more configurable. |
I use a simple C or Shell program, that will list the parent folder.
I mean, for example, in a shell script : Code:
ls ../ # Here the hacker can view all the files that he shouldn't be able to view But is it good for hosting ? Because what I want to do is to host some friends (3~4), so I don't wan't to have many users, groups, etc. for each friends to host. |
So, it is something wrong here. Are you sure your program is running inside a chroot? Can you copy and paste here your chroot command and its output?
Quote:
|
For web hosting, you have to set httpd directories in main server or virtual hosts
Also see ftp servers config |
No, I meant games hosting, sorry.
So here is the command (executed by root) chroot /home/usr/xxx/ ./myprocess In the process I placed a script that will call another script in the same repertory to print the result of "ls ../", and it was working. |
Sorry I don't have ideas, but it shouldn't behave like this. Can you check what you get when running in turn:
Code:
cd /home/usr/xxx |
[edit] sorry, I see your concern about hackers uploading script potential ability
I don't know what is a game hosting anyway :p |
Oh, it works with the cmd you gave me. How to use it, but in 1 line only ?
|
Maybe you need to change directory to "/home/usr/xxx" before chroot, this is necessary to chroot work properly. But I always thinked that this is done by "chroot" command. Check this. Also can you write what distribution and version you have?
If you need one line use semicolons ";" to separate commands or make script for this. |
Okay, now I need to start my process into a screen, but here what I get when I type screen when chrooted :
getpwuid() can't identify your account! How can I do to make it indentify my account ? EDIT : Ok, so what I did was : I made a bash script : Code:
#!/bin/bash Then i did : Code:
#!/bin/bash How can I do that ? |
Quote:
Quote:
Quote:
|
Ok, I did it.
Thank you for your answers, here is how I did : Script in /home/script : Code:
cd /home/my/chrooted/environment/ script_chrooted.sh : Code:
cd /another/repertory/in/chrooted/env/ Thank you !! |
All times are GMT -5. The time now is 11:16 PM. |