[ale] Doing a chroot in Perl
Jerry Yu
jjj863 at gmail.com
Wed Aug 30 09:54:48 EDT 2006
I set up a quick jail myself on CentOS 4 and I think I found some clues to
the symptoms: The shell by Exec after chroot is not all that clean. Note
that inside the jail, I am 500/500, with alternate group 0 (root)?!
Maybe there is a problem with my quickie jail, since I couldn't really
create a file on /junk ( a good thing?)
/tmp/1/2# perl ~jyu/bin/chroot.pl
$ id -a
uid=500 gid=500 groups=0,1,2,3,4,6,10 context=root:system_r:unconfined_t
$ echo $HOME
/root
$ echo $LOGNAME
root
$ date > /junk
cannot create /junk: permission denied
$ date > /home/jyu/junk
$ ls -ltr /home/jyu/junk
-rw-r--r-- 1 500 500 29 Aug 30 13:47 /home/jyu/junk
On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
>
> On Wed, 2006-08-30 at 08:39 -0400, Jerry Yu wrote:
> > what exactly is the permission on your jail / (aka, ScriptExecRoot)?
>
> Being able to not delete the file like in the example below is normal.
> I recreated that in the system root.
>
> What I find strange is that I do the following
>
> 1. chroot to /opt/SAM/FC2/ScriptExecRoot
> 2. use setuid() and setgid() to change to UID/GID 500 (tomcat).
> 3. Now as user tomcat I do command ps or ls and send
> output to / (chroot root) /out.txt
>
> I can do that in the jail but not in the regular system as user tomcat
>
>
> > [tomcat at sam-demo /]$ ps > /out.txt
> -bash: /out.txt: Permission denied
> [tomcat at sam-demo /]$ sudo /opt/SAM/ScriptExecRoot/bin/exec.pl
>
>
> BusyBox v1.2.1 (2006.08.29-17:16+0000) Built-in shell (ash)
> Enter 'help' for a list of built-in commands.
>
> $ ps > /out.txt
> $ ls -l /out.txt
> -rw-r--r-- 1 500 500 6689 Aug 30 08:49 /out.txt
> $
>
> This is where I'm getting confused. Probably just a permissions problem
> with the fact that ScriptExecRoot is owned by root but exists in a
> directory owned by tomcat.
>
> > On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
> > This is kinda strange. On this same example I'm now outside
> > of my
> > chroot jail and I can not delete a file that is owned by me
> > I created that file in the jail. I've not figured out why I
> > was able to
> > do that. Since the '/' of the jail is owned by root.
> >
> > [tomcat at sam-demo ScriptExecRoot]$ whoami
> > tomcat
> > [tomcat at sam-demo ScriptExecRoot]$ ls -l
> > total 276
> > drwxrwxr-x 2 root root 4096 Aug 30 07:58 bin
> > drwxr-xr-x 23 root root 233472 Aug 26 18:25 dev
> > drwxr-xr-x 2 root root 4096 Aug 30 08:02 etc
> > drwxr-xr-x 3 root root 4096 Aug 26 18:20 home
> > dr-xr-xr-x 2 root root 4096 Aug 26 20:02 lib
> > drwxr-xr-x 6 root root 4096 Aug 27 14:54 opt
> > -rw-r--r-- 1 tomcat tomcat 6689 Aug 30 08:02 out.txt
> > dr-xr-xr-x 202 root root 0 Apr 18 05:32 proc
> > drwxr-xr-x 2 root root 4096 Aug 26 18:21 root
> > drwxrwxr-x 2 root root 4096 Aug 26 17:31 sbin
> > drwxrwxrwt 2 root root 4096 Aug 28 15:41 tmp
> > drwxrwxr-x 4 root root 4096 Aug 30 07:59 usr
> >
> > I'm outside the jail as user tomcat and I try to delete the
> > file I
> > created inside the jail as tomcat. I can't do it.
> >
> > [tomcat at sam-demo ScriptExecRoot]$ rm out.txt
> > rm: cannot remove `out.txt': Permission denied
> >
> >
> >
> > On Tue, 2006-08-29 at 12:35 -0400, Christopher Fowler wrote:
> > > I doing something wrong in my test program. This program
> > takes an
> > > argument and executes it in a chroot environment. If not
> > argument is
> > > given it will simply execute the shell instead.
> > >
> > > This is part of my script execution that I asked about a
> > week or so ago.
> > > I am now going to extract the script from the database and
> > place it in a
> > > chroot environment. I will then execute it from there. I'm
> > using this
> > > test program before I integrate it into the main code.
> > >
> > > --- [ Cut Here ]-------------------------------------
> > > #!/usr/bin/perl
> > >
> > > use POSIX qw/setuid setgid/;
> > > use strict;
> > >
> > > # Globals
> > > my $root = "/opt/SAM/ScriptExecRoot";
> > >
> > > sub main {
> > >
> > > # Verify if proc is mounted
> > > # if not mount it for the user
> > > if(! -d "$root/proc/1") {
> > > system "mount -o bind /proc $root/proc";
> > > }
> > >
> > >
> > > # Setup default language
> > > # This root does not support locale
> > > # and perl needs this
> > > $ENV{'LANG'} = "C";
> > > $ENV{'PATH'} = "$ENV{'PATH'}:/sbin:/usr/sbin";
> > >
> > > # Change our root and
> > > # set our uid
> > > chroot $root;
> > >
> > > my ($name,$pass,$uid,$gid,undef,undef,undef,$dir) =
> > getpwnam("tomcat")
> > > or die;
> > >
> > > setgid $uid;
> > > setuid $uid;
> > > chdir $dir;
> > >
> > > # No argument? Just exec a shell
> > > if($#ARGV == -1 ) {
> > > exec "/bin/sh"
> > > or die "exec $!\n";
> > > }
> > >
> > > exec "/bin/sh", ("-c", @ARGV)
> > > or die "exec $!\n";
> > > }
> > >
> > > exit main;
> > > --- [ Cut Here ]-------------------------------------
> > >
> > > The problem is that I'm able to do stuff I should not be
> > able to.
> > >
> > > Here is output
> > >
> > > --- [ Cut Here ]-------------------------------------
> > > [root at sam-demo ScriptExecRoot]# bin/exec.pl
> > >
> > >
> > > BusyBox v1.2.1 (2006.08.26-21:30+0000) Built-in shell (ash)
> > > Enter 'help' for a list of built-in commands.
> > >
> > > $ ps > /
> > > $ ls -l /out
> > > -rw-r--r-- 1 500 500 6998 Aug 26 23:42 /out
> > > $
> > > [root at sam-demo ScriptExecRoot]# ls -l
> > > total 276
> > > drwxrwxr-x 2 root root 4096 Aug 26 19:42 bin
> > > drwxr-xr-x 23 root root 233472 Aug 26 18:25 dev
> > > drwxr-xr-x 2 root root 4096 Aug 26 19:28 etc
> > > drwxr-xr-x 3 root root 4096 Aug 26 18:20 home
> > > dr-xr-xr-x 2 root root 4096 Aug 26 19:29 lib
> > > drwxr-xr-x 3 root root 4096 Aug 26 17:58 opt
> > > -rw-r--r-- 1 tomcat tomcat 6998 Aug 26 19:42 out
> > > dr-xr-xr-x 209 root root 0 Apr 18 05:32 proc
> > > drwxr-xr-x 2 root root 4096 Aug 26 18:21 root
> > > drwxrwxr-x 2 root root 4096 Aug 26 17:31 sbin
> > > drwxrwxrwt 2 root root 4096 Aug 26 19:42 tmp
> > > drwxrwxr-x 3 root root 4096 Aug 26 17:29 usr
> > > --- [ Cut Here ]-------------------------------------
> > >
> > > As you can see /out is owned by tomcat.tomcat but why was he
> > able to
> > > place anything in /out? Probably something simple I'm not
> > seeing or
> > > forgot to do.
> > >
> > > Thanks,
> > > Chris
> > >
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list