LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-28-2009, 01:00 AM   #1
narendra1310
Member
 
Registered: May 2008
Posts: 41

Rep: Reputation: 15
Question Urgent requirement: Break out of a chrootJail for security


Hi everybody,

Urgent requirement:

I have a daemon which executes "/usr/sbin/chroot" command. But I have to run this daemon as a non-root user.As per my knowledge "/usr/sbin/chroot" is not able to run as a non-root user.

what is the alternate solution for this ?

I read few documents which says that first we need to run this kind of special process/commands as a root and then give up permissions by set uid/euid to make that process as a non-root user process.

** what to set and when to set these uid's to make this process a non-root user process ?????

Link : http://unixwiz.net/techtips/chroot-practices.html

what is meant by breaking out of a chrootJail ?

How to break out from chrootJail ? I am not able to understand from the above link.

Please Help Me
Thanks in advance
 
Old 10-28-2009, 01:23 AM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Mint
Posts: 17,808

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
First, you don't give us "requirements"---the trick is to make REQUESTS and to say "please" (Which you DID do).

Second---with respect to "urgent": As the old saying goes: "That plus a quarter will get you a cup of coffee.".


Can you not simply change the permissions for the chroot executable? Please post the output of "ls -lR /usr/bin | grep chroot"

Regardless, allowing anyone except root to use chroot does not seem like a really good idea.....
 
Old 10-28-2009, 01:28 AM   #3
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,390
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
If you are going to allow users to do a chroot, there isn't much point having it in the first place. Since chroot doesn't nest (like a true virtualization would), then anyone who can run it can break out of a chroot jail. 'Breaking out of a chroot jail' means being able to access any part of the real filesystem.
 
Old 10-28-2009, 01:32 AM   #4
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Linux 10 (Buster)
Posts: 3,373

Rep: Reputation: 138Reputation: 138
Sticky bit?
 
Old 10-28-2009, 03:07 AM   #5
narendra1310
Member
 
Registered: May 2008
Posts: 41

Original Poster
Rep: Reputation: 15
ls -lR /usr/bin | grep chroot
-rwxr-xr-x 1 root root 18828 2009-10-26 19:58 chroot





Quote:
Originally Posted by narendra1310 View Post
Hi everybody,

Urgent requirement:

I have a daemon which executes "/usr/sbin/chroot" command. But I have to run this daemon as a non-root user.As per my knowledge "/usr/sbin/chroot" is not able to run as a non-root user.

what is the alternate solution for this ?

I read few documents which says that first we need to run this kind of special process/commands as a root and then give up permissions by set uid/euid to make that process as a non-root user process.

** what to set and when to set these uid's to make this process a non-root user process ?????

Link : http://unixwiz.net/techtips/chroot-practices.html

what is meant by breaking out of a chrootJail ?

How to break out from chrootJail ? I am not able to understand from the above link.

Please Help Me
Thanks in advance
 
Old 10-28-2009, 03:59 AM   #6
narendra1310
Member
 
Registered: May 2008
Posts: 41

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by pixellany View Post
First, you don't give us "requirements"---the trick is to make REQUESTS and to say "please" (Which you DID do).

Second---with respect to "urgent": As the old saying goes: "That plus a quarter will get you a cup of coffee.".


Can you not simply change the permissions for the chroot executable? Please post the output of "ls -lR /usr/bin | grep chroot"

Regardless, allowing anyone except root to use chroot does not seem like a really good idea.....



ls -lR /usr/bin | grep chroot
-rwxr-xr-x 1 root root 18828 2009-10-26 19:58 chroot
 
Old 10-28-2009, 04:11 AM   #7
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,390
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
Perhaps you could supply some more information:

what daemon are you trying to run?
is it your own code? if so, why are you doing a chroot?
why does it need to run as a non-root user?

The normal approach is to:
* change the directory inside the chroot tree
* chroot
* drop root privileges
 
Old 10-28-2009, 05:28 AM   #8
narendra1310
Member
 
Registered: May 2008
Posts: 41

Original Poster
Rep: Reputation: 15
My sample code:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
int main()
{
int chngd, chrooted, sys_status;
long cwd_status, size;
char *path;
path = (char *)malloc(100);

chngd = chdir("/home/test/builds/server/mychroot");

printf("************\n");
system("./apache/bin/httpd -k start");
printf("************\n");

chroot(".");

memset(path,0,100);
getcwd(path,100);
path[strlen(path)]='\0';
printf("cwd=%s\n",path);

printf("uid=%d\teuid=%d\n",getuid(),geteuid());
setuid(500); //500 is non-root user uid
printf("uid=%d\teuid=%d\n",getuid(),geteuid());

printf("$$$$$$$$$$$\n");
system("./apache/bin/httpd -k start");
printf("$$$$$$$$$$$\n");

}


Result:
chngd=0
************
httpd: could not open document config file /apache/conf/httpd.conf
************

cwd=/home/test/builds/server/mychroot

uid=0 euid=0
uid=500 euid=500

$$$$$$$$$$$
sh: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory
$$$$$$$$$$$


For your reference

find / -name libtinfo.so.5
/usr/local/lib/libtinfo.so.5

ls -l /home/test/builds/server/mychroot/usr/local/lib/libtinfo.so.5
-rwxr-xr-x 1 root root 95188 2009-10-27 20:26 /home/test/builds/server/mychroot/usr/local/lib/libtinfo.so.5




Quote:
Originally Posted by neonsignal View Post
Perhaps you could supply some more information:

what daemon are you trying to run?
is it your own code? if so, why are you doing a chroot?
why does it need to run as a non-root user?

The normal approach is to:
* change the directory inside the chroot tree
* chroot
* drop root privileges
 
Old 10-28-2009, 05:47 AM   #9
narendra1310
Member
 
Registered: May 2008
Posts: 41

Original Poster
Rep: Reputation: 15
Iam using chroot beacuse i need to run my apache in a secure place . so i choose some directory which contains apache and their dependency libraries and also other components related to my application xxxx.

I tried chroot to that directory and run command [chroot /home/test/builds/server/mychroot /apache/bin/httpd k start ] as a root-user and I succeeded in that.. chroot worked fine and apache runs fine as a root-user.

***********************************
But Now I NEED TO ===> Run in the chrootjail as a non-root user
http://unixwiz.net/techtips/chroot-practices.html
***********************************

Quote:
Originally Posted by narendra1310 View Post
My sample code:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
int main()
{
int chngd, chrooted, sys_status;
long cwd_status, size;
char *path;
path = (char *)malloc(100);

chngd = chdir("/home/test/builds/server/mychroot");

printf("************\n");
system("./apache/bin/httpd -k start");
printf("************\n");

chroot(".");

memset(path,0,100);
getcwd(path,100);
path[strlen(path)]='\0';
printf("cwd=%s\n",path);

printf("uid=%d\teuid=%d\n",getuid(),geteuid());
setuid(500); //500 is non-root user uid
printf("uid=%d\teuid=%d\n",getuid(),geteuid());

printf("$$$$$$$$$$$\n");
system("./apache/bin/httpd -k start");
printf("$$$$$$$$$$$\n");

}


Result:
chngd=0
************
httpd: could not open document config file /apache/conf/httpd.conf
************

cwd=/home/test/builds/server/mychroot

uid=0 euid=0
uid=500 euid=500

$$$$$$$$$$$
sh: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory
$$$$$$$$$$$


For your reference

find / -name libtinfo.so.5
/usr/local/lib/libtinfo.so.5

ls -l /home/test/builds/server/mychroot/usr/local/lib/libtinfo.so.5
-rwxr-xr-x 1 root root 95188 2009-10-27 20:26 /home/test/builds/server/mychroot/usr/local/lib/libtinfo.so.5
 
Old 10-28-2009, 06:30 AM   #10
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Buster (Fluxbox WM)
Posts: 1,390
Blog Entries: 52

Rep: Reputation: 359Reputation: 359Reputation: 359Reputation: 359
Some people use mod_chroot, which enables them to do the chroot after the startup of Apache. This saves having to duplicate a lot of the directories that Apache requires.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Urgent: Info on security linux-shyam Linux - Security 2 05-08-2006 07:19 AM
Break this Security (too tight) thethakuri Linux - Security 2 01-15-2003 07:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration