[ale] Doing a chroot in Perl

Christopher Fowler cfowler at outpostsentinel.com
Tue Aug 29 12:35:31 EDT 2006


I doing something wrong in my test program.  This program takes an
argument and executes it in a chroot environment.  If not argument is
given it will simply execute the shell instead.

This is part of my script execution that I asked about a week or so ago.
I am now going to extract the script from the database and place it in a
chroot environment.  I will then execute it from there.  I'm using this
test program before I integrate it into the main code.

--- [ Cut Here ]-------------------------------------
#!/usr/bin/perl

use POSIX qw/setuid setgid/;
use strict;

# Globals
my $root = "/opt/SAM/ScriptExecRoot";

sub main {

  # Verify if proc is mounted
  # if not mount it for the user
  if(! -d "$root/proc/1") {
    system "mount -o bind /proc $root/proc";
  }


  # Setup default language
  # This root does not support locale
  # and perl needs this
  $ENV{'LANG'} = "C";
  $ENV{'PATH'} = "$ENV{'PATH'}:/sbin:/usr/sbin";

  # Change our root and
  # set our uid
  chroot $root;

  my ($name,$pass,$uid,$gid,undef,undef,undef,$dir) = getpwnam("tomcat")
or die;

  setgid $uid;
  setuid $uid;
  chdir $dir;

  # No argument?  Just exec a shell
  if($#ARGV == -1 ) {
    exec "/bin/sh"
      or die "exec $!\n";
  }

  exec "/bin/sh", ("-c", @ARGV)
    or die "exec $!\n";
}

exit main;
--- [ Cut Here ]-------------------------------------

The problem is that I'm able to do stuff I should not be able to.

Here is output 

--- [ Cut Here ]-------------------------------------
[root at sam-demo ScriptExecRoot]# bin/exec.pl 


BusyBox v1.2.1 (2006.08.26-21:30+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ ps > /
$ ls -l /out
-rw-r--r--    1 500      500          6998 Aug 26 23:42 /out
$ 
[root at sam-demo ScriptExecRoot]# ls -l 
total 276
drwxrwxr-x    2 root   root     4096 Aug 26 19:42 bin
drwxr-xr-x   23 root   root   233472 Aug 26 18:25 dev
drwxr-xr-x    2 root   root     4096 Aug 26 19:28 etc
drwxr-xr-x    3 root   root     4096 Aug 26 18:20 home
dr-xr-xr-x    2 root   root     4096 Aug 26 19:29 lib
drwxr-xr-x    3 root   root     4096 Aug 26 17:58 opt
-rw-r--r--    1 tomcat tomcat   6998 Aug 26 19:42 out
dr-xr-xr-x  209 root   root        0 Apr 18 05:32 proc
drwxr-xr-x    2 root   root     4096 Aug 26 18:21 root
drwxrwxr-x    2 root   root     4096 Aug 26 17:31 sbin
drwxrwxrwt    2 root   root     4096 Aug 26 19:42 tmp
drwxrwxr-x    3 root   root     4096 Aug 26 17:29 usr
--- [ Cut Here ]-------------------------------------

As you can see /out is owned by tomcat.tomcat but why was he able to
place anything in /out?  Probably something simple I'm not seeing or
forgot to do.

Thanks,
Chris






More information about the Ale mailing list