[ale] Doing a chroot in Perl

Christopher Fowler cfowler at outpostsentinel.com
Wed Aug 30 14:31:48 EDT 2006


Works now!

$ ps > /out.t
/bin/sh: cannot create /out.t: Permission denied
$ 


$) = "$gid $gid";

On Wed, 2006-08-30 at 14:17 -0400, Christopher Fowler wrote:
>   setgid $gid;
>   $) = ($gid, $gid);
>   setuid $uid;
>   chdir $dir;
> 
>   print "After: $)\n"
> 
> Before: 0 10 6 4 3 2 1 0
> After: 500 10 6 4 3 2 1 0
> 
> 
> On Wed, 2006-08-30 at 13:46 -0400, Jerry Yu wrote:
> > also, $) modification needs to be between setgid and setuid to be
> > effective too.
> >  
> > setgid $gid;
> >  $) = "$gid $gid";
> >  setuid $uid;
> > 
> > 
> > On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> >         per perlvar, I used the following which is passed to setgroups
> >         () and it is effective.
> >         $) = "$gid $gid";
> >         
> >         
> >         On 8/30/06, Christopher Fowler < cfowler at outpostsentinel.com>
> >         wrote:
> >                 Here is what is going on in kernel space:
> >                 
> >                 write(1, "Before: 0 10 6 4 3 2 1 0\n", 25Before: 0 10
> >                 6 4 3 2 1 0
> >                 ) = 25
> >                 chroot("/opt/SAM/ScriptExecRoot")       = 0
> >                 socket(PF_FILE, SOCK_STREAM, 0)         = 3 
> >                 connect(3, {sa_family=AF_FILE,
> >                 path="/var/run/nscd/socket"}, 110) = -1
> >                 ENOENT (No such file or directory)
> >                 close(3)                                = 0
> >                 open("/etc/nsswitch.conf", O_RDONLY)    = 3 
> >                 fstat64(3, {st_mode=S_IFREG|0644, st_size=1687, ...})
> >                 = 0
> >                 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> >                 MAP_ANONYMOUS, -1,
> >                 0) = 0xf6de7000
> >                 read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"...,
> >                 4096) = 1687 
> >                 read(3, "", 4096)                       = 0
> >                 close(3)                                = 0
> >                 munmap(0xf6de7000, 4096)                = 0
> >                 open("/usr/lib/perl5/5.8.3/i386-linux-thread-
> >                 multi/CORE/libnss_files.so.2", O_RDONLY) = -1 ENOENT
> >                 (No such file or 
> >                 directory)
> >                 open("/etc/ld.so.cache", O_RDONLY)      = 3
> >                 fstat64(3, {st_mode=S_IFREG|0644, st_size=1959, ...})
> >                 = 0
> >                 old_mmap(NULL, 1959, PROT_READ, MAP_PRIVATE, 3, 0) =
> >                 0xf6de6000
> >                 close(3)                                = 0 
> >                 open("/lib/libnss_files.so.2", O_RDONLY) = 3
> >                 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0
> >                 \0`\33\0\000"...,
> >                 512) = 512
> >                 fstat64(3, {st_mode=S_IFREG|0755, st_size=50944, ...})
> >                 = 0
> >                 old_mmap(NULL, 45724, PROT_READ|PROT_EXEC,
> >                 MAP_PRIVATE, 3, 0) = 0xa6e000
> >                 old_mmap(0xa78000, 8192, PROT_READ|PROT_WRITE,
> >                 MAP_PRIVATE|MAP_FIXED, 3,
> >                 0x9000) = 0xa78000
> >                 close(3)                                = 0
> >                 mprotect(0xa78000, 4096, PROT_READ)     = 0
> >                 munmap(0xf6de6000, 1959)                = 0
> >                 open("/etc/passwd", O_RDONLY)           = 3
> >                 fcntl64(3, F_GETFD)                     = 0
> >                 fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0 
> >                 fstat64(3, {st_mode=S_IFREG|0644, st_size=1240, ...})
> >                 = 0
> >                 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> >                 MAP_ANONYMOUS, -1,
> >                 0) = 0xf6de5000
> >                 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096)
> >                 = 1240 
> >                 close(3)                                = 0
> >                 munmap(0xf6de5000, 4096)                = 0
> >                 open("/etc/shadow", O_RDONLY)           = 3
> >                 fcntl64(3, F_GETFD)                     = 0
> >                 fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0 
> >                 fstat64(3, {st_mode=S_IFREG|0400, st_size=827, ...}) =
> >                 0
> >                 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> >                 MAP_ANONYMOUS, -1,
> >                 0) = 0xf6de4000
> >                 read(3, "root:$1$FSCYGBHy$UjAcKKV6a3lN3ee"..., 4096) =
> >                 827 
> >                 close(3)                                = 0
> >                 munmap(0xf6de4000, 4096)                = 0
> >                 setgid32(500)                           = 0
> >                 getgid32()                              = 500
> >                 getegid32()                             = 500 
> >                 setuid32(500)                           = 0
> >                 getuid32()                              = 500
> >                 geteuid32()                             = 500
> >                 setresgid32(-1, 500, -1)                = 0
> >                 getegid32()                             = 500 
> >                 chdir("/home/tomcat")                   = 0
> >                 getgroups32(32, [0, 1, 2, 3, 4, 6, 10]) = 7
> >                 write(1, "After: 500 10 6 4 3 2 1 0\n", 26After: 500
> >                 10 6 4 3 2 1 0
> >                 ) = 26
> >                 
> >                 
> >                 On Wed, 2006-08-30 at 11:17 -0400, Jerry Yu wrote: 
> >                 > pardon me, the first 'id -a' should have been:
> >                 > $ id -a
> >                 > uid=500 gid=500 groups=0,1,2,3,4,6,10
> >                 > context=root:system_r:unconfined_t
> >                 >
> >                 >
> >                 > On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> >                 >         The supplemetary GIDs are still there, after
> >                 the setgid/setuid
> >                 >         calls. This makes the jailed 'tomcat' has
> >                 read/write access
> >                 >         granted to group 0 1 2 3 4 6 10. For
> >                 instance, now tomcat can 
> >                 >         read "/proc/net/ip_conntrack" which tomcat
> >                 outside the jail
> >                 >         wouldn't be able to read.
> >                 >
> >                 >         before setsid/gid  $) = (0 10 6 4 3 2 1 0)
> >                 >         after setsid/gid   $) = (500 10 6 4 3 2 1
> >                 0) 
> >                 >
> >                 >         $ id -a
> >                 >
> >                 >         uid=500 gid=500 groups=500
> >                 context=root:system_r:unconfine
> >                 >         d_t
> >                 >
> >                 >         Per 'perldoc perlvar', you'd need to set
> >                 $)="$gid $gid" to rid 
> >                 >         of the extra supplemetary GIDs from the
> >                 original owner.
> >                 >         $) = (0 10 6 4 3 2 1 0)
> >                 >         $) = (500 500)
> >                 >
> >                 >         $ id -a
> >                 >         uid=500 gid=500 groups=500
> >                 context=root:system_r:unconfined_t 
> >                 >
> >                 >
> >                 >
> >                 >         On 8/30/06, Christopher Fowler
> >                 <cfowler at outpostsentinel.com >
> >                 >         wrote:
> >                 >                 I figured it out. 
> >                 >
> >                 >                 ScriptExecRoot is owned by root but
> >                 a subdirectory of
> >                 >                 SAM which is owned
> >                 >                 by tomcat. When I did the chroot
> >                 even though / was
> >                 >                 owned by root I as 
> >                 >                 tomcat was able to write stuff
> >                 anywhere I wanted.
> >                 >
> >                 >                 I moved ScriptExecRoot to /opt which
> >                 is owned by
> >                 >                 root.  Now when I
> >                 >                 chroot I was not able to write
> >                 anywhere I wanted. 
> >                 >
> >                 >                 I guess this is normal behavior but
> >                 I did not expect
> >                 >                 it.
> >                 >
> >                 >
> >                 >
> >                 > _______________________________________________
> >                 > Ale mailing list
> >                 > Ale at ale.org
> >                 > http://www.ale.org/mailman/listinfo/ale
> >                 
> >                 _______________________________________________
> >                 Ale mailing list 
> >                 Ale at ale.org
> >                 http://www.ale.org/mailman/listinfo/ale
> >         
> >         
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale




More information about the Ale mailing list