Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 80111 Details for
Bug 123292
Security Handbook Chroot rewrite
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
shb-chroot.diff
shb-chroot.diff (text/plain), 11.18 KB, created by
Chris White (RETIRED)
on 2006-02-18 09:23:52 UTC
(
hide
)
Description:
shb-chroot.diff
Filename:
MIME Type:
Creator:
Chris White (RETIRED)
Created:
2006-02-18 09:23:52 UTC
Size:
11.18 KB
patch
obsolete
>--- shb-chroot.xml.old 2006-02-19 00:14:38.000000000 +0900 >+++ shb-chroot.xml 2006-02-19 02:18:53.000000000 +0900 >@@ -18,74 +18,229 @@ > Chrooting a service is a way of limiting a service (or user) environment to > only accessing what it should and not gaining access (or information) that > could lead to root access. By running the service as another user than >-<c>root</c> (<c>nobody</c>, <c>apache</c>, <c>named</c>) an attacker can only >+<b>root</b> (<b>nobody</b>, <b>apache</b>, <b>named</b>) an attacker can only > access files with the permissions of this user. This means that an attacker >-cannot gain <c>root</c> access even if the services has a security flaw. >+cannot gain <b>root</b> access even if the services has a security flaw. > </p> > > <p> > Some services like <c>pure-ftpd</c> and <c>bind</c> have features for > chrooting, and other services do not. If the service supports it, use it, >-otherwise you have to figure out how to create your own. Lets see how to create >-a chroot, for a basic understanding of how chroots work, we will test it with >-<c>bash</c> (easy way of learning). >+otherwise you have to figure out how to create your own. In this document, we'll >+look at chroot-ing <c>www-servers/monkeyd</c>, a lightweight webserver. First, >+the server package needs to be emerged: > </p> > >+<pre caption="Emerge-ing monkeyd"> >+# emerge -apv www-servers/monkeyd >+</pre> >+ >+<p> >+Once it's installed, files must be copied over to the chroot, and the libraries >+that <c>monkeyd</c> links against must be checked. First the libraries should >+be checked using <c>ldd</c>: >+</p> >+ >+<note> >+You can skip checking the linked libraries if bash was compiled with the >+<c>static</c> USE flag. >+</note> >+ >+<pre caption="Checking the libraries that monkeyd links against"> >+# <i>ldd /usr/bin/monkey</i> >+ linux-gate.so.1 => (0xffffe000) >+ libpthread.so.0 => /lib/libpthread.so.0 (0xb7eed000) >+ libc.so.6 => /lib/libc.so.6 (0xb7dd9000) >+ /lib/ld-linux.so.2 (0xb7f1e000) >+</pre> >+ >+<p> >+The files that showup with absolute paths must be copied over for the program to >+work. Let's go ahead and copy them over: >+</p> >+ >+<pre caption="Copying over the dynamic libraries"> >+# <i>mkdir /chroot/lib</i> >+# <i>cp -p /lib/{libpthread.so.0,libc.so.6,ld-linux.so.2} /chroot/lib/</i> >+</pre> >+ >+<p> >+Now that the dynamic libraries are copied over, the actual files that the >+program uses must be copied over as well. This includes things such as >+configuration files and server modules. To help eleviate the stress of going >+through and finding every single file a program needs, I've created this simple >+script which uses equery to copy over the needed files: >+</p> >+ >+<pre caption="chroot_setup.sh"> >+#!/bin/bash >+for files in $(equery -q -C files $1 | grep "^\/" | grep -v "\.d") >+do >+if [ ! -e $2${files} ] ; then >+ if [ -d ${files} ] ; then >+ echo "Creating directory $2${files}..." >+ mkdir -p $2${files} >+ else >+ echo "Copying over file $2${files}..." >+ cp -p ${files} $2${files} >+ fi >+fi >+done >+</pre> >+ >+<p> >+This script takes 2 arguments. The first is the name of the package, and the >+second is the location to the chroot (without the leading slash). Here is an >+example output using <c>www-servers/monkeyd</c>: >+</p> >+ >+<pre caption="Running chroot_setup.sh"> >+# <i>chroot_setup.sh www-servers/monkeyd /chroot</i> >+Creating directory /chroot/etc... >+Creating directory /chroot/etc/monkeyd... >+Copying over file /chroot/etc/monkeyd/modules.conf... >+Copying over file /chroot/etc/monkeyd/monkey.conf... >+Copying over file /chroot/etc/monkeyd/monkey.mime... >+Creating directory /chroot/usr... >+Creating directory /chroot/usr/bin... >+Copying over file /chroot/usr/bin/monkey... >+Creating directory /chroot/usr/lib... >+Creating directory /chroot/usr/lib/debug... >+Creating directory /chroot/usr/lib/debug/usr... >+Creating directory /chroot/usr/lib/debug/usr/bin... >+Creating directory /chroot/usr/share... >+Creating directory /chroot/usr/share/doc... >+Creating directory /chroot/usr/share/doc/monkeyd-0.9.1... >+Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/ChangeLog.txt.gz... >+Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/HowItWorks.txt.gz... >+Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/MODULES.gz... >+Copying over file /chroot/usr/share/doc/monkeyd-0.9.1/README.gz... >+Creating directory /chroot/var... >+Creating directory /chroot/var/log... >+Creating directory /chroot/var/log/monkeyd... >+Creating directory /chroot/var/www... >+Creating directory /chroot/var/www/localhost... >+Creating directory /chroot/var/www/localhost/cgi-bin... >+Copying over file /chroot/var/www/localhost/cgi-bin/test.pl... >+Creating directory /chroot/var/www/localhost/htdocs... >+Creating directory /chroot/var/www/localhost/htdocs/docs... >+Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.en.html... >+Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.es.html... >+Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.fr.html... >+Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.pt-br.html... >+Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.ru.html... >+Copying over file /chroot/var/www/localhost/htdocs/docs/monkey+php.sv.html... >+Creating directory /chroot/var/www/localhost/htdocs/imgs... >+Copying over file /chroot/var/www/localhost/htdocs/imgs/logonooficial.jpg... >+Copying over file /chroot/var/www/localhost/htdocs/imgs/titulo.jpg... >+Copying over file /chroot/var/www/localhost/htdocs/index-monkey.html... >+Creating directory /chroot/var/www/localhost/htdocs/php... >+Copying over file /chroot/var/www/localhost/htdocs/php/index.php... >+</pre> >+ >+<p> >+Now that the environment is setup, the init.d script must be adjusted to handle >+the chroot environment. Here is an example change I made to the monkeyd init.d >+file to handle this: >+</p> >+ >+<pre caption="Modifying the monkeyd init.d file for chroot"> >+- /usr/bin/monkey -D &> /dev/null >++ chroot /chroot /usr/bin/monkey -D &> /dev/null >+ >+- start-stop-daemon --stop --quiet --pidfile ${MONKEY_PID} >++ start-stop-daemon --stop --quiet --pidfile /chroot/${MONKEY_PID} >+ >+- rm -f ${MONKEY_PID} >++ rm -f /chroot/${MONKEY_PID} >+</pre> >+ >+<note> >+You can also edit conf.d/monkeyd and prepend /chroot to MONKEY_PID as well. >+</note> >+ > <p> >-Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find what >-dynamic libraries that <c>bash</c> is compiled with (if it is compiled with >-<c>-static</c> this step is not necessary): >+However, when attempting to start monkeyd, the service fails. In order to find >+out why, <c>strace</c> can be used. Here we find the problem is that monkeyd is >+unable to create the pid file: > </p> > >+<pre caption="Debugging inaccessable files with strace"> >+# <i>strace -o strace.log chroot /chroot/ /usr/bin/monkey</i> >+ >+<comment>(problem file)</comment> >+unlink("/var/run/monkey.pid") = -1 ENOENT (No such file or directory) >+open("/var/run/monkey.pid", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory) >+write(1, "Error: I can\'t log pid of monkey"..., 33) = 33 >+</pre> >+ > <p> >-The following command will create a list of libraries used by <c>bash</c>. >+So in order to fix this, we create the appropriate /var/run directory: > </p> > >-<pre caption="Get listing of used libraries"> >-# <i>ldd /bin/bash</i> >- libncurses.so.5 => /lib/libncurses.so.5 (0x4001b000) >- libdl.so.2 => /lib/libdl.so.2 (0x40060000) >- libc.so.6 => /lib/libc.so.6 (0x40063000) >- /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) >+<pre caption="Creating the /var/run directory"> >+# <i>mkdir -p /chroot/var/run</i> > </pre> > > <p> >-Now lets create the environment for <c>bash</c>. >+There were a couple of other files missing, all of them I transfered over as >+shown here: > </p> > >-<pre caption="Create chroot-environment for bash"> >-# <i>mkdir /chroot/bash</i> >-# <i>mkdir /chroot/bash/bin</i> >-# <i>mkdir /chroot/bash/lib</i> >+<pre caption="Transfering over other missing files"> >+# <i>cp -p /etc/nsswitch.conf /chroot/etc/</i> >+# <i>cp -p /etc/passwd /chroot/etc/</i> >+# <i>cp -p /etc/group /chroot/etc/</i> >+# <i>cp -p /lib/libnss_compat.so.2 /chroot/lib/</i> >+# <i>cp -p /usr/lib/libnsl.so /chroot/usr/lib/libnsl.so.1</i> >+# <i>cp -p /usr/lib/libnss_nis.so /chroot/lib/libnss_nis.so.2</i> >+# <i>cp -p /usr/lib/libnss_files.so /chroot/lib/libnss_nis.so.2</i> >+# <i>cp -p /lib/libgcc_s.so.1 /chroot/lib/</i> > </pre> > > <p> >-Next copy the files used by <c>bash</c> (<path>/lib</path>) to the chrooted >-<path>lib</path> and copy the bash command to the chrooted <path>bin</path> >-directory. This will create the exact same environment, just with less >-functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>. >-If you get an prompt saying <path>/</path> it works! Otherwise it will properly >-tell you what a file is missing. Some shared libraries depend on each other. >+And now that the problematic files are handled, go ahead and start the init.d >+script: > </p> > >+<pre caption="Running the monkeyd init.d script"> >+# <i>/etc/init.d/monkeyd start</i> >+ * Starting monkeyd ... [ ok ] >+</pre> >+ > <p> >-You will notice that inside the chroot nothing works except <c>echo</c>. This >-is because we have no other commands in out chroot environment than bash and >-<c>echo</c> is a build-in functionality. >+And just to make sure: > </p> > >+<pre caption="Verifying that monkeyd is running"> >+# <i>ps aux | grep monkey</i> >+nobody 24007 0.0 0.0 1684 572 ? Ss 01:55 0:00 /usr/bin/monkey -D >+root 24009 0.0 0.1 2664 752 pts/2 R+ 01:55 0:00 grep monkey >+# <i> wget http://localhost:2001/index-monkey.html</i> >+--02:11:29-- http://localhost:2001/index-monkey.html >+ => `index-monkey.html' >+Resolving localhost... 127.0.0.1 >+Connecting to localhost|127.0.0.1|:2001... connected. >+HTTP request sent, awaiting response... 200 OK >+Length: 2,610 (2.5K) [text/html] >+ >+100%[==========================================================================================================================>] 2,610 --.--K/s >+ >+02:11:29 (49.78 MB/s) - `index-monkey.html' saved [2610/2610] >+</pre> >+ >+<p> >+And to be extra safe, verify that the init.d script can stop the service as >+well: >+</p> >+ >+<pre caption="Stopping the monkeyd service"> >+# <i>/etc/init.d/monkeyd stop</i> >+* Stopping monkeyd ... [ ok ] >+</pre> >+ > <p> >-This is basically the same way you would create a chrooted service. The only >-difference is that services sometimes rely on devices and configuration files >-in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp >--a</c>) to the chrooted environment, edit the init script to use chroot before >-executing. It can be difficult to find what devices and configuration files a >-services need. This is where the <c>strace</c> command becomes handy. Start >-the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and >-maybe connect. This will give you a clue on what files to copy. But in most >-cases just copy the passwd file (edit the copy and remove users that has >-nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path> >-and <path>/dev/random</path>. >+And that's it! You've now setup your chroot'ed service. > </p> > > </body>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=80111">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 123292
:
80110
| 80111
