How to jail a process in his repertory ?
 

Hi all,

I want to jail a process in his folder, so he can't have any link with a parent folder.

Ex. If i'm a hacker, and I can upload my script & and I can start it, i'll could go to ../, /etc/passwd, etc..

So what I did is to chroot the process :

I copied all libraries used by the process in his repertory, and then i did :

But... my process can still view parent folders...

How to do it ?

Thank you very much, and sorry for my bad english :)

Can you explain how your process view parent folders? Are you using some tricks, maybe hardlinks (they are not "jailed") or just normal operation? chroot is not very secure if you want separate environment for your process.

Maybe you will be interested about lxc (linux containers), which has better separation from real system and is more configurable.

I use a simple C or Shell program, that will list the parent folder.

I mean, for example, in a shell script :

But yes, i'll take a look about lxc.

But is it good for hosting ?
Because what I want to do is to host some friends (3~4), so I don't wan't to have many users, groups, etc. for each friends to host.

So, it is something wrong here. Are you sure your program is running inside a chroot? Can you copy and paste here your chroot command and its output?

Sorry, but I don't known what you mean by "hosting". It is generally better then chroot, but also more complicated (it needs preparation, proper permissions, correct kernel) you should read about it, but I think that chroot will be sufficient for you - when you finally solve this problem.

For web hosting, you have to set httpd directories in main server or virtual hosts
Also see ftp servers config

No, I meant games hosting, sorry.

So here is the command (executed by root)

chroot /home/usr/xxx/ ./myprocess

In the process I placed a script that will call another script in the same repertory to print the result of "ls ../", and it was working.

Sorry I don't have ideas, but it shouldn't behave like this. Can you check what you get when running in turn:Is effect the same? What "pwd" printed? Also are you sure that this "ls .." is showing files outside your chroot?

[edit] sorry, I see your concern about hackers uploading script potential ability

I don't know what is a game hosting anyway :p

Oh, it works with the cmd you gave me. How to use it, but in 1 line only ?

Maybe you need to change directory to "/home/usr/xxx" before chroot, this is necessary to chroot work properly. But I always thinked that this is done by "chroot" command. Check this. Also can you write what distribution and version you have?

If you need one line use semicolons ";" to separate commands or make script for this.

Okay, now I need to start my process into a screen, but here what I get when I type screen when chrooted :

getpwuid() can't identify your account!

How can I do to make it indentify my account ?

EDIT :
Ok, so what I did was :

I made a bash script :

This doesn't work. My screen close instantly after been started.

Then i did :

But here, all cmds executed after chroot . isn't called.

How can I do that ?

Sorry, I don't known what this message means. Probably you did not copied sufficient data to chroot environment (/etc/passwd, /var/log/utmp, /dev... etcetera). Anyway, why you use "screen" if you only want to run a game server?

This will not work as you expected. When you execute chroot, the shell or other program is started and waiting. After it quits, then next lines of this script will be executed. So you must run your program as chroot argument.

You did not mentioned and I don't known now. Can you specify. If this script work without "screen"? And you have only problem with screen executed into chrooted environment?

Ok, I did it.
Thank you for your answers, here is how I did :

Script in /home/script :


script_chrooted.sh :

And this works fine.

Thank you !!