Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 80110 Details for
Bug 123292
Security Handbook Chroot rewrite
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
shb-chroot.xml
shb-chroot.xml (text/plain), 9.39 KB, created by
Chris White (RETIRED)
on 2006-02-18 09:23:21 UTC
(
hide
)
Description:
shb-chroot.xml
Filename:
MIME Type:
Creator:
Chris White (RETIRED)
Created:
2006-02-18 09:23:21 UTC
Size:
9.39 KB
patch
obsolete
><?xml version='1.0' encoding='UTF-8'?> ><!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v 1.2 2005/12/15 22:45:57 rane Exp $ --> ><!DOCTYPE sections SYSTEM "/dtd/book.dtd"> > ><!-- The content of this document is licensed under the CC-BY-SA license --> ><!-- See http://creativecommons.org/licenses/by-sa/1.0 --> > ><sections> > ><version>1.1</version> ><date>2005-12-15</date> > ><section> ><title>Chrooting</title> ><body> > ><p> >Chrooting a service is a way of limiting a service (or user) environment to >only accessing what it should and not gaining access (or information) that >could lead to root access. By running the service as another user than ><b>root</b> (<b>nobody</b>, <b>apache</b>, <b>named</b>) an attacker can only >access files with the permissions of this user. This means that an attacker >cannot gain <b>root</b> access even if the services has a security flaw. ></p> > ><p> >Some services like <c>pure-ftpd</c> and <c>bind</c> have features for >chrooting, and other services do not. If the service supports it, use it, >otherwise you have to figure out how to create your own. In this document, we'll >look at chroot-ing <c>www-servers/monkeyd</c>, a lightweight webserver. First, >the server package needs to be emerged: ></p> > ><pre caption="Emerge-ing monkeyd"> ># emerge -apv www-servers/monkeyd ></pre> > ><p> >Once it's installed, files must be copied over to the chroot, and the libraries >that <c>monkeyd</c> links against must be checked. First the libraries should >be checked using <c>ldd</c>: ></p> > ><note> >You can skip checking the linked libraries if bash was compiled with the ><c>static</c> USE flag. ></note> > ><pre caption="Checking the libraries that monkeyd links against"> ># <i>ldd /usr/bin/monkey</i> > linux-gate.so.1 => (0xffffe000) > libpthread.so.0 => /lib/libpthread.so.0 (0xb7eed000) > libc.so.6 => /lib/libc.so.6 (0xb7dd9000) > /lib/ld-linux.so.2 (0xb7f1e000) ></pre> > ><p> >The files that showup with absolute paths must be copied over for the program to >work. Let's go ahead and copy them over: ></p> > ><pre caption="Copying over the dynamic libraries"> ># <i>mkdir /chroot/lib</i> ># <i>cp -p /lib/{libpthread.so.0,libc.so.6,ld-linux.so.2} /chroot/lib/</i> ></pre> > ><p> >Now that the dynamic libraries are copied over, the actual files that the >program uses must be copied over as well. This includes things such as >configuration files and server modules. To help eleviate the stress of going >through and finding every single file a program needs, I've created this simple >script which uses equery to copy over the needed files: ></p> > ><pre caption="chroot_setup.sh"> >#!/bin/bash >for files in $(equery -q -C files $1 | grep "^\/" | grep -v "\.d") >do >if [ ! -e $2${files} ] ; then > if [ -d ${files} ] ; then > echo "Creating directory $2${files}..." > mkdir -p $2${files} > else > echo "Copying over file $2${files}..." > cp -p ${files} $2${files} > fi >fi >done ></pre> > ><p> >This script takes 2 arguments. The first is the name of the package, and the >second is the location to the chroot (without the leading slash). Here is an >example output using <c>www-servers/monkeyd</c>: ></p> > ><pre caption="Running chroot_setup.sh"> ># <i>chroot_setup.sh www-servers/monkeyd /chroot</i> >Creating directory /chroot/etc... >Creating directory /chroot/etc/monkeyd... >Copying over file /chroot/etc/monkeyd/modules.conf... >Copying over file /chroot/etc/monkeyd/monkey.conf... >Copying over file /chroot/etc/monkeyd/monkey.mime... >Creating directory /chroot/usr... >Creating directory /chroot/usr/bin... >Copying over file /chroot/usr/bin/monkey... >Creating directory /chroot/usr/lib... >Creating directory /chroot/usr/lib/debug... >Creating directory /chroot/usr/lib/debug/usr... >Creating directory /chroot/usr/lib/debug/usr/bin... >Creating directory /chroot/usr/share... >Creating directory /chroot/usr/share/doc... >Creating directory /chroot/usr/share/doc/monkeyd-0.9.1... >Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/ChangeLog.txt.gz... >Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/HowItWorks.txt.gz... >Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/MODULES.gz... >Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/README.gz... >Creating directory /chroot/var... >Creating directory /chroot/var/log... >Creating directory /chroot/var/log/monkeyd... >Creating directory /chroot/var/www... >Creating directory /chroot/var/www/localhost... >Creating directory /chroot/var/www/localhost/cgi-bin... >Copying over file /chroot/var/www/localhost/cgi-bin/test.pl... >Creating directory /chroot/var/www/localhost/htdocs... >Creating directory /chroot/var/www/localhost/htdocs/docs... >Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.en.html... >Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.es.html... >Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.fr.html... >Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.pt-br.html... >Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.ru.html... >Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.sv.html... >Creating directory /chroot/var/www/localhost/htdocs/imgs... >Copying over file /chroot/var/www/localhost/htdocs/imgs/logonooficial.jpg... >Copying over file /chroot/var/www/localhost/htdocs/imgs/titulo.jpg... >Copying over file /chroot/var/www/localhost/htdocs/index-monkey.html... >Creating directory /chroot/var/www/localhost/htdocs/php... >Copying over file /chroot/var/www/localhost/htdocs/php/index.php... ></pre> > ><p> >Now that the environment is setup, the init.d script must be adjusted to handle >the chroot environment. Here is an example change I made to the monkeyd init.d >file to handle this: ></p> > ><pre caption="Modifying the monkeyd init.d file for chroot"> >- /usr/bin/monkey -D &> /dev/null >+ chroot /chroot /usr/bin/monkey -D &> /dev/null > >- start-stop-daemon --stop --quiet --pidfile ${MONKEY_PID} >+ start-stop-daemon --stop --quiet --pidfile /chroot/${MONKEY_PID} > >- rm -f ${MONKEY_PID} >+ rm -f /chroot/${MONKEY_PID} ></pre> > ><note> >You can also edit conf.d/monkeyd and prepend /chroot to MONKEY_PID as well. ></note> > ><p> >However, when attempting to start monkeyd, the service fails. In order to find >out why, <c>strace</c> can be used. Here we find the problem is that monkeyd is >unable to create the pid file: ></p> > ><pre caption="Debugging inaccessable files with strace"> ># <i>strace -o strace.log chroot /chroot/ /usr/bin/monkey</i> > ><comment>(problem file)</comment> >unlink("/var/run/monkey.pid") = -1 ENOENT (No such file or directory) >open("/var/run/monkey.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory) >write(1, "Error: I can\'t log pid of monkey"..., 33) = 33 ></pre> > ><p> >So in order to fix this, we create the appropriate /var/run directory: ></p> > ><pre caption="Creating the /var/run directory"> ># <i>mkdir -p /chroot/var/run</i> ></pre> > ><p> >There were a couple of other files missing, all of them I transfered over as >shown here: ></p> > ><pre caption="Transfering over other missing files"> ># <i>cp -p /etc/nsswitch.conf /chroot/etc/</i> ># <i>cp -p /etc/passwd /chroot/etc/</i> ># <i>cp -p /etc/group /chroot/etc/</i> ># <i>cp -p /lib/libnss_compat.so.2 /chroot/lib/</i> ># <i>cp -p /usr/lib/libnsl.so /chroot/usr/lib/libnsl.so.1</i> ># <i>cp -p /usr/lib/libnss_nis.so /chroot/lib/libnss_nis.so.2</i> ># <i>cp -p /usr/lib/libnss_files.so /chroot/lib/libnss_nis.so.2</i> ># <i>cp -p /lib/libgcc_s.so.1 /chroot/lib/</i> ></pre> > ><p> >And now that the problematic files are handled, go ahead and start the init.d >script: ></p> > ><pre caption="Running the monkeyd init.d script"> ># <i>/etc/init.d/monkeyd start</i> > * Starting monkeyd ... [ ok ] ></pre> > ><p> >And just to make sure: ></p> > ><pre caption="Verifying that monkeyd is running"> ># <i>ps aux | grep monkey</i> >nobody 24007 0.0 0.0 1684 572 ? Ss 01:55 0:00 /usr/bin/monkey -D >root 24009 0.0 0.1 2664 752 pts/2 R+ 01:55 0:00 grep monkey ># <i> wget http://localhost:2001/index-monkey.html</i> >--02:11:29-- http://localhost:2001/index-monkey.html > => `index-monkey.html' >Resolving localhost... 127.0.0.1 >Connecting to localhost|127.0.0.1|:2001... connected. >HTTP request sent, awaiting response... 200 OK >Length: 2,610 (2.5K) [text/html] > >100%[==========================================================================================================================>] 2,610 --.--K/s > >02:11:29 (49.78 MB/s) - `index-monkey.html' saved [2610/2610] ></pre> > ><p> >And to be extra safe, verify that the init.d script can stop the service as >well: ></p> > ><pre caption="Stopping the monkeyd service"> ># <i>/etc/init.d/monkeyd stop</i> >* Stopping monkeyd ... [ ok ] ></pre> > ><p> >And that's it! You've now setup your chroot'ed service. ></p> > ></body> ></section> ><section> ><title>User Mode Linux</title> ><body> > ><p> >Another way of creating a more secure environment is by running a virtual >machine. A virtual machine, as the name implies, is a process that runs on top >of your real operating system providing a hardware and operating system >environment that appears to be its own unique machine. The security benefit is >that if the server running on the virtual machine is compromised, only the >virtual server is affected and not the parent installation. ></p> > ><p> >For more information about how to setup User Mode Linux consult the <uri >link="/doc/en/uml.xml">User Mode Linux Guide</uri>. ></p> > ></body> ></section> > ></sections>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=80110">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 123292
: 80110 |
80111
