[ale] Doing a chroot in Perl

Christopher Fowler cfowler at outpostsentinel.com
Wed Aug 30 08:47:12 EDT 2006


Here is a stat for every dir leading up to "ScriptExecRoot":

[tomcat at sam-demo /]$
stat . /opt /opt/SAM /opt/SAM/FC2 /opt/SAM/FC2/ScriptExecRoot/
  File: `.'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 900h/2304d      Inode: 2           Links: 21
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2006-08-30 08:24:37.104684112 -0400
Modify: 2006-08-30 08:24:37.634551187 -0400
Change: 2006-08-30 08:24:37.634551187 -0400
  
 File: `/opt'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 900h/2304d      Inode: 9601025     Links: 7
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2006-08-30 08:11:48.690453095 -0400
Modify: 2006-08-26 20:05:18.485629474 -0400
Change: 2006-08-26 20:05:18.485629474 -0400

  File: `/opt/SAM' -> `SAM.2_7'
  Size: 7               Blocks: 0          IO Block: 4096   symbolic
link
Device: 900h/2304d      Inode: 9603031     Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (  500/  tomcat)   Gid: (  500/  tomcat)
Access: 2006-08-30 08:45:47.572032050 -0400
Modify: 2006-08-15 09:57:15.000000000 -0400
Change: 2006-08-16 08:23:49.000000000 -0400

  File: `/opt/SAM/FC2'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 900h/2304d      Inode: 11174710    Links: 7
Access: (0775/drwxrwxr-x)  Uid: (  500/  tomcat)   Gid: (  500/  tomcat)
Access: 2006-08-30 08:45:47.572032050 -0400
Modify: 2006-08-26 18:23:49.763758454 -0400
Change: 2006-08-26 18:23:49.763758454 -0400

  File: `/opt/SAM/FC2/ScriptExecRoot/'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 900h/2304d      Inode: 11274348    Links: 13
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2006-08-30 08:23:46.223448417 -0400
Modify: 2006-08-30 08:02:31.727240105 -0400
Change: 2006-08-30 08:13:18.359957955 -0400


On Wed, 2006-08-30 at 08:39 -0400, Jerry Yu wrote:
> what exactly is the permission on your jail / (aka, ScriptExecRoot)? 
> 
> On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
>         This is kinda strange.  On this same example I'm now outside
>         of my
>         chroot jail and I can not delete a file that is owned by me
>         I created that file in the jail.  I've not figured out why I
>         was able to
>         do that.  Since the '/' of the jail is owned by root.
>         
>         [tomcat at sam-demo ScriptExecRoot]$ whoami 
>         tomcat
>         [tomcat at sam-demo ScriptExecRoot]$ ls -l
>         total 276
>         drwxrwxr-x    2 root   root     4096 Aug 30 07:58 bin
>         drwxr-xr-x   23 root   root   233472 Aug 26 18:25 dev
>         drwxr-xr-x    2 root   root     4096 Aug 30 08:02 etc 
>         drwxr-xr-x    3 root   root     4096 Aug 26 18:20 home
>         dr-xr-xr-x    2 root   root     4096 Aug 26 20:02 lib
>         drwxr-xr-x    6 root   root     4096 Aug 27 14:54 opt
>         -rw-r--r--    1 tomcat tomcat   6689 Aug 30 08:02 out.txt
>         dr-xr-xr-x  202 root   root        0 Apr 18 05:32 proc
>         drwxr-xr-x    2 root   root     4096 Aug 26 18:21 root
>         drwxrwxr-x    2 root   root     4096 Aug 26 17:31 sbin
>         drwxrwxrwt    2 root   root     4096 Aug 28 15:41 tmp 
>         drwxrwxr-x    4 root   root     4096 Aug 30 07:59 usr
>         
>         I'm outside the jail as user tomcat and I try to delete the
>         file I
>         created inside the jail as tomcat.  I can't do it.
>         
>         [tomcat at sam-demo ScriptExecRoot]$ rm out.txt
>         rm: cannot remove `out.txt': Permission denied
>         
>         
>         
>         On Tue, 2006-08-29 at 12:35 -0400, Christopher Fowler wrote:
>         > I doing something wrong in my test program.  This program
>         takes an
>         > argument and executes it in a chroot environment.  If not
>         argument is 
>         > given it will simply execute the shell instead.
>         >
>         > This is part of my script execution that I asked about a
>         week or so ago.
>         > I am now going to extract the script from the database and
>         place it in a 
>         > chroot environment.  I will then execute it from there.  I'm
>         using this
>         > test program before I integrate it into the main code.
>         >
>         > --- [ Cut Here ]-------------------------------------
>         > #!/usr/bin/perl 
>         >
>         > use POSIX qw/setuid setgid/;
>         > use strict;
>         >
>         > # Globals
>         > my $root = "/opt/SAM/ScriptExecRoot";
>         >
>         > sub main {
>         >
>         >   # Verify if proc is mounted
>         >   # if not mount it for the user
>         >   if(! -d "$root/proc/1") {
>         >     system "mount -o bind /proc $root/proc";
>         >   }
>         >
>         >
>         >   # Setup default language
>         >   # This root does not support locale 
>         >   # and perl needs this
>         >   $ENV{'LANG'} = "C";
>         >   $ENV{'PATH'} = "$ENV{'PATH'}:/sbin:/usr/sbin";
>         >
>         >   # Change our root and
>         >   # set our uid
>         >   chroot $root; 
>         >
>         >   my ($name,$pass,$uid,$gid,undef,undef,undef,$dir) =
>         getpwnam("tomcat")
>         > or die;
>         >
>         >   setgid $uid;
>         >   setuid $uid;
>         >   chdir $dir;
>         >
>         >   # No argument?  Just exec a shell 
>         >   if($#ARGV == -1 ) {
>         >     exec "/bin/sh"
>         >       or die "exec $!\n";
>         >   }
>         >
>         >   exec "/bin/sh", ("-c", @ARGV)
>         >     or die "exec $!\n"; 
>         > }
>         >
>         > exit main;
>         > --- [ Cut Here ]-------------------------------------
>         >
>         > The problem is that I'm able to do stuff I should not be
>         able to.
>         >
>         > Here is output
>         >
>         > --- [ Cut Here ]-------------------------------------
>         > [root at sam-demo ScriptExecRoot]# bin/exec.pl
>         >
>         >
>         > BusyBox v1.2.1 (2006.08.26-21:30+0000) Built-in shell (ash)
>         > Enter 'help' for a list of built-in commands. 
>         >
>         > $ ps > /
>         > $ ls -l /out
>         > -rw-r--r--    1 500      500          6998 Aug 26 23:42 /out
>         > $
>         > [root at sam-demo ScriptExecRoot]# ls -l
>         > total 276
>         > drwxrwxr-x    2 root   root     4096 Aug 26 19:42 bin 
>         > drwxr-xr-x   23 root   root   233472 Aug 26 18:25 dev
>         > drwxr-xr-x    2 root   root     4096 Aug 26 19:28 etc
>         > drwxr-xr-x    3 root   root     4096 Aug 26 18:20 home
>         > dr-xr-xr-x    2 root   root     4096 Aug 26 19:29 lib 
>         > drwxr-xr-x    3 root   root     4096 Aug 26 17:58 opt
>         > -rw-r--r--    1 tomcat tomcat   6998 Aug 26 19:42 out
>         > dr-xr-xr-x  209 root   root        0 Apr 18 05:32 proc
>         > drwxr-xr-x    2 root   root     4096 Aug 26 18:21 root 
>         > drwxrwxr-x    2 root   root     4096 Aug 26 17:31 sbin
>         > drwxrwxrwt    2 root   root     4096 Aug 26 19:42 tmp
>         > drwxrwxr-x    3 root   root     4096 Aug 26 17:29 usr
>         > --- [ Cut Here ]------------------------------------- 
>         >
>         > As you can see /out is owned by tomcat.tomcat but why was he
>         able to
>         > place anything in /out?  Probably something simple I'm not
>         seeing or
>         > forgot to do.
>         >
>         > Thanks,
>         > Chris 
>         >
>         >
>         >
>         > _______________________________________________
>         > Ale mailing list
>         > Ale at ale.org
>         > http://www.ale.org/mailman/listinfo/ale
>         
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://www.ale.org/mailman/listinfo/ale 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale




More information about the Ale mailing list