[ale] Doing a chroot in Perl
Christopher Fowler
cfowler at outpostsentinel.com
Wed Aug 30 14:17:54 EDT 2006
setgid $gid;
$) = ($gid, $gid);
setuid $uid;
chdir $dir;
print "After: $)\n"
Before: 0 10 6 4 3 2 1 0
After: 500 10 6 4 3 2 1 0
On Wed, 2006-08-30 at 13:46 -0400, Jerry Yu wrote:
> also, $) modification needs to be between setgid and setuid to be
> effective too.
>
> setgid $gid;
> $) = "$gid $gid";
> setuid $uid;
>
>
> On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> per perlvar, I used the following which is passed to setgroups
> () and it is effective.
> $) = "$gid $gid";
>
>
> On 8/30/06, Christopher Fowler < cfowler at outpostsentinel.com>
> wrote:
> Here is what is going on in kernel space:
>
> write(1, "Before: 0 10 6 4 3 2 1 0\n", 25Before: 0 10
> 6 4 3 2 1 0
> ) = 25
> chroot("/opt/SAM/ScriptExecRoot") = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 3
> connect(3, {sa_family=AF_FILE,
> path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> open("/etc/nsswitch.conf", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=1687, ...})
> = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> MAP_ANONYMOUS, -1,
> 0) = 0xf6de7000
> read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"...,
> 4096) = 1687
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0xf6de7000, 4096) = 0
> open("/usr/lib/perl5/5.8.3/i386-linux-thread-
> multi/CORE/libnss_files.so.2", O_RDONLY) = -1 ENOENT
> (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=1959, ...})
> = 0
> old_mmap(NULL, 1959, PROT_READ, MAP_PRIVATE, 3, 0) =
> 0xf6de6000
> close(3) = 0
> open("/lib/libnss_files.so.2", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0
> \0`\33\0\000"...,
> 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=50944, ...})
> = 0
> old_mmap(NULL, 45724, PROT_READ|PROT_EXEC,
> MAP_PRIVATE, 3, 0) = 0xa6e000
> old_mmap(0xa78000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3,
> 0x9000) = 0xa78000
> close(3) = 0
> mprotect(0xa78000, 4096, PROT_READ) = 0
> munmap(0xf6de6000, 1959) = 0
> open("/etc/passwd", O_RDONLY) = 3
> fcntl64(3, F_GETFD) = 0
> fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> fstat64(3, {st_mode=S_IFREG|0644, st_size=1240, ...})
> = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> MAP_ANONYMOUS, -1,
> 0) = 0xf6de5000
> read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096)
> = 1240
> close(3) = 0
> munmap(0xf6de5000, 4096) = 0
> open("/etc/shadow", O_RDONLY) = 3
> fcntl64(3, F_GETFD) = 0
> fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> fstat64(3, {st_mode=S_IFREG|0400, st_size=827, ...}) =
> 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> MAP_ANONYMOUS, -1,
> 0) = 0xf6de4000
> read(3, "root:$1$FSCYGBHy$UjAcKKV6a3lN3ee"..., 4096) =
> 827
> close(3) = 0
> munmap(0xf6de4000, 4096) = 0
> setgid32(500) = 0
> getgid32() = 500
> getegid32() = 500
> setuid32(500) = 0
> getuid32() = 500
> geteuid32() = 500
> setresgid32(-1, 500, -1) = 0
> getegid32() = 500
> chdir("/home/tomcat") = 0
> getgroups32(32, [0, 1, 2, 3, 4, 6, 10]) = 7
> write(1, "After: 500 10 6 4 3 2 1 0\n", 26After: 500
> 10 6 4 3 2 1 0
> ) = 26
>
>
> On Wed, 2006-08-30 at 11:17 -0400, Jerry Yu wrote:
> > pardon me, the first 'id -a' should have been:
> > $ id -a
> > uid=500 gid=500 groups=0,1,2,3,4,6,10
> > context=root:system_r:unconfined_t
> >
> >
> > On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> > The supplemetary GIDs are still there, after
> the setgid/setuid
> > calls. This makes the jailed 'tomcat' has
> read/write access
> > granted to group 0 1 2 3 4 6 10. For
> instance, now tomcat can
> > read "/proc/net/ip_conntrack" which tomcat
> outside the jail
> > wouldn't be able to read.
> >
> > before setsid/gid $) = (0 10 6 4 3 2 1 0)
> > after setsid/gid $) = (500 10 6 4 3 2 1
> 0)
> >
> > $ id -a
> >
> > uid=500 gid=500 groups=500
> context=root:system_r:unconfine
> > d_t
> >
> > Per 'perldoc perlvar', you'd need to set
> $)="$gid $gid" to rid
> > of the extra supplemetary GIDs from the
> original owner.
> > $) = (0 10 6 4 3 2 1 0)
> > $) = (500 500)
> >
> > $ id -a
> > uid=500 gid=500 groups=500
> context=root:system_r:unconfined_t
> >
> >
> >
> > On 8/30/06, Christopher Fowler
> <cfowler at outpostsentinel.com >
> > wrote:
> > I figured it out.
> >
> > ScriptExecRoot is owned by root but
> a subdirectory of
> > SAM which is owned
> > by tomcat. When I did the chroot
> even though / was
> > owned by root I as
> > tomcat was able to write stuff
> anywhere I wanted.
> >
> > I moved ScriptExecRoot to /opt which
> is owned by
> > root. Now when I
> > chroot I was not able to write
> anywhere I wanted.
> >
> > I guess this is normal behavior but
> I did not expect
> > it.
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list