[ale] Doing a chroot in Perl
Jerry Yu
jjj863 at gmail.com
Wed Aug 30 11:13:16 EDT 2006
The supplemetary GIDs are still there, after the setgid/setuid calls. This
makes the jailed 'tomcat' has read/write access granted to group 0 1 2 3 4 6
10. For instance, now tomcat can read "/proc/net/ip_conntrack" which tomcat
outside the jail wouldn't be able to read.
before setsid/gid $) = (0 10 6 4 3 2 1 0)
after setsid/gid $) = (500 10 6 4 3 2 1 0)
$ id -a
uid=500 gid=500 groups=500 context=root:system_r:unconfined_t
Per 'perldoc perlvar', you'd need to set $)="$gid $gid" to rid of the extra
supplemetary GIDs from the original owner.
$) = (0 10 6 4 3 2 1 0)
$) = (500 500)
$ id -a
uid=500 gid=500 groups=500 context=root:system_r:unconfined_t
On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
>
> I figured it out.
>
> ScriptExecRoot is owned by root but a subdirectory of SAM which is owned
> by tomcat. When I did the chroot even though / was owned by root I as
> tomcat was able to write stuff anywhere I wanted.
>
> I moved ScriptExecRoot to /opt which is owned by root. Now when I
> chroot I was not able to write anywhere I wanted.
>
> I guess this is normal behavior but I did not expect it.
>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list