[ale] Doing a chroot in Perl

[Christopher Fowler]

I tried that:

  # Change our root and
  # set our uid
  print "Before: $)\n";
  chroot $root
    or die "Failed to change root to '$root': $!\n";;

  my ($name,$pass,$uid,$gid,undef,undef,undef,$dir) =
    getpwnam("tomcat") or die "Failed to get permissions: $!\n";

  setgid $gid;
  setuid $uid;
  $) = ($gid, $gid);
  chdir $dir;

  print "After: $)\n";

[tomcat at sam-demo ScriptExecRoot]$ chr
Before: 0 10 6 4 3 2 1 0
After: 500 10 6 4 3 2 1 0




On Wed, 2006-08-30 at 11:13 -0400, Jerry Yu wrote:
> The supplemetary GIDs are still there, after the setgid/setuid calls.
> This makes the jailed 'tomcat' has read/write access granted to group
> 0 1 2 3 4 6 10. For instance, now tomcat can read
> "/proc/net/ip_conntrack" which tomcat outside the jail wouldn't be
> able to read. 
> 
> before setsid/gid  $) = (0 10 6 4 3 2 1 0)
> after setsid/gid   $) = (500 10 6 4 3 2 1 0)
> $ id -a
> uid=500 gid=500 groups=500 context=root:system_r:unconfine
> d_t
> 
> Per 'perldoc perlvar', you'd need to set $)="$gid $gid" to rid of the
> extra supplemetary GIDs from the original owner. 
> $) = (0 10 6 4 3 2 1 0)
> $) = (500 500)
> $ id -a
> uid=500 gid=500 groups=500 context=root:system_r:unconfined_t
> 
> 
> On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
>         I figured it out.
>         
>         ScriptExecRoot is owned by root but a subdirectory of SAM
>         which is owned
>         by tomcat. When I did the chroot even though / was owned by
>         root I as
>         tomcat was able to write stuff anywhere I wanted. 
>         
>         I moved ScriptExecRoot to /opt which is owned by root.  Now
>         when I
>         chroot I was not able to write anywhere I wanted.
>         
>         I guess this is normal behavior but I did not expect it.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale