[ale] Doing a chroot in Perl
Christopher Fowler
cfowler at outpostsentinel.com
Wed Aug 30 08:50:33 EDT 2006
On Wed, 2006-08-30 at 08:39 -0400, Jerry Yu wrote:
> what exactly is the permission on your jail / (aka, ScriptExecRoot)?
Being able to not delete the file like in the example below is normal.
I recreated that in the system root.
What I find strange is that I do the following
1. chroot to /opt/SAM/FC2/ScriptExecRoot
2. use setuid() and setgid() to change to UID/GID 500 (tomcat).
3. Now as user tomcat I do command ps or ls and send
output to / (chroot root) /out.txt
I can do that in the jail but not in the regular system as user tomcat
> [tomcat at sam-demo /]$ ps > /out.txt
-bash: /out.txt: Permission denied
[tomcat at sam-demo /]$ sudo /opt/SAM/ScriptExecRoot/bin/exec.pl
BusyBox v1.2.1 (2006.08.29-17:16+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
$ ps > /out.txt
$ ls -l /out.txt
-rw-r--r-- 1 500 500 6689 Aug 30 08:49 /out.txt
$
This is where I'm getting confused. Probably just a permissions problem
with the fact that ScriptExecRoot is owned by root but exists in a
directory owned by tomcat.
> On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
> This is kinda strange. On this same example I'm now outside
> of my
> chroot jail and I can not delete a file that is owned by me
> I created that file in the jail. I've not figured out why I
> was able to
> do that. Since the '/' of the jail is owned by root.
>
> [tomcat at sam-demo ScriptExecRoot]$ whoami
> tomcat
> [tomcat at sam-demo ScriptExecRoot]$ ls -l
> total 276
> drwxrwxr-x 2 root root 4096 Aug 30 07:58 bin
> drwxr-xr-x 23 root root 233472 Aug 26 18:25 dev
> drwxr-xr-x 2 root root 4096 Aug 30 08:02 etc
> drwxr-xr-x 3 root root 4096 Aug 26 18:20 home
> dr-xr-xr-x 2 root root 4096 Aug 26 20:02 lib
> drwxr-xr-x 6 root root 4096 Aug 27 14:54 opt
> -rw-r--r-- 1 tomcat tomcat 6689 Aug 30 08:02 out.txt
> dr-xr-xr-x 202 root root 0 Apr 18 05:32 proc
> drwxr-xr-x 2 root root 4096 Aug 26 18:21 root
> drwxrwxr-x 2 root root 4096 Aug 26 17:31 sbin
> drwxrwxrwt 2 root root 4096 Aug 28 15:41 tmp
> drwxrwxr-x 4 root root 4096 Aug 30 07:59 usr
>
> I'm outside the jail as user tomcat and I try to delete the
> file I
> created inside the jail as tomcat. I can't do it.
>
> [tomcat at sam-demo ScriptExecRoot]$ rm out.txt
> rm: cannot remove `out.txt': Permission denied
>
>
>
> On Tue, 2006-08-29 at 12:35 -0400, Christopher Fowler wrote:
> > I doing something wrong in my test program. This program
> takes an
> > argument and executes it in a chroot environment. If not
> argument is
> > given it will simply execute the shell instead.
> >
> > This is part of my script execution that I asked about a
> week or so ago.
> > I am now going to extract the script from the database and
> place it in a
> > chroot environment. I will then execute it from there. I'm
> using this
> > test program before I integrate it into the main code.
> >
> > --- [ Cut Here ]-------------------------------------
> > #!/usr/bin/perl
> >
> > use POSIX qw/setuid setgid/;
> > use strict;
> >
> > # Globals
> > my $root = "/opt/SAM/ScriptExecRoot";
> >
> > sub main {
> >
> > # Verify if proc is mounted
> > # if not mount it for the user
> > if(! -d "$root/proc/1") {
> > system "mount -o bind /proc $root/proc";
> > }
> >
> >
> > # Setup default language
> > # This root does not support locale
> > # and perl needs this
> > $ENV{'LANG'} = "C";
> > $ENV{'PATH'} = "$ENV{'PATH'}:/sbin:/usr/sbin";
> >
> > # Change our root and
> > # set our uid
> > chroot $root;
> >
> > my ($name,$pass,$uid,$gid,undef,undef,undef,$dir) =
> getpwnam("tomcat")
> > or die;
> >
> > setgid $uid;
> > setuid $uid;
> > chdir $dir;
> >
> > # No argument? Just exec a shell
> > if($#ARGV == -1 ) {
> > exec "/bin/sh"
> > or die "exec $!\n";
> > }
> >
> > exec "/bin/sh", ("-c", @ARGV)
> > or die "exec $!\n";
> > }
> >
> > exit main;
> > --- [ Cut Here ]-------------------------------------
> >
> > The problem is that I'm able to do stuff I should not be
> able to.
> >
> > Here is output
> >
> > --- [ Cut Here ]-------------------------------------
> > [root at sam-demo ScriptExecRoot]# bin/exec.pl
> >
> >
> > BusyBox v1.2.1 (2006.08.26-21:30+0000) Built-in shell (ash)
> > Enter 'help' for a list of built-in commands.
> >
> > $ ps > /
> > $ ls -l /out
> > -rw-r--r-- 1 500 500 6998 Aug 26 23:42 /out
> > $
> > [root at sam-demo ScriptExecRoot]# ls -l
> > total 276
> > drwxrwxr-x 2 root root 4096 Aug 26 19:42 bin
> > drwxr-xr-x 23 root root 233472 Aug 26 18:25 dev
> > drwxr-xr-x 2 root root 4096 Aug 26 19:28 etc
> > drwxr-xr-x 3 root root 4096 Aug 26 18:20 home
> > dr-xr-xr-x 2 root root 4096 Aug 26 19:29 lib
> > drwxr-xr-x 3 root root 4096 Aug 26 17:58 opt
> > -rw-r--r-- 1 tomcat tomcat 6998 Aug 26 19:42 out
> > dr-xr-xr-x 209 root root 0 Apr 18 05:32 proc
> > drwxr-xr-x 2 root root 4096 Aug 26 18:21 root
> > drwxrwxr-x 2 root root 4096 Aug 26 17:31 sbin
> > drwxrwxrwt 2 root root 4096 Aug 26 19:42 tmp
> > drwxrwxr-x 3 root root 4096 Aug 26 17:29 usr
> > --- [ Cut Here ]-------------------------------------
> >
> > As you can see /out is owned by tomcat.tomcat but why was he
> able to
> > place anything in /out? Probably something simple I'm not
> seeing or
> > forgot to do.
> >
> > Thanks,
> > Chris
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list