[ale] Doing a chroot in Perl
Jerry Yu
jjj863 at gmail.com
Wed Aug 30 13:46:55 EDT 2006
also, $) modification needs to be between setgid and setuid to be effective
too.
setgid $gid;
$) = "$gid $gid";
setuid $uid;
On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
>
> per perlvar, I used the following which is passed to setgroups() and it is
> effective.
> $) = "$gid $gid";
>
>
> On 8/30/06, Christopher Fowler < cfowler at outpostsentinel.com> wrote:
> >
> > Here is what is going on in kernel space:
> >
> > write(1, "Before: 0 10 6 4 3 2 1 0\n", 25Before: 0 10 6 4 3 2 1 0
> > ) = 25
> > chroot("/opt/SAM/ScriptExecRoot") = 0
> > socket(PF_FILE, SOCK_STREAM, 0) = 3
> > connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
> > ENOENT (No such file or directory)
> > close(3) = 0
> > open("/etc/nsswitch.conf", O_RDONLY) = 3
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=1687, ...}) = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> > 0) = 0xf6de7000
> > read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1687
> > read(3, "", 4096) = 0
> > close(3) = 0
> > munmap(0xf6de7000, 4096) = 0
> > open("/usr/lib/perl5/5.8.3/i386-linux-thread-
> > multi/CORE/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or
> > directory)
> > open("/etc/ld.so.cache", O_RDONLY) = 3
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=1959, ...}) = 0
> > old_mmap(NULL, 1959, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf6de6000
> > close(3) = 0
> > open("/lib/libnss_files.so.2", O_RDONLY) = 3
> > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\33\0\000"...,
> > 512) = 512
> > fstat64(3, {st_mode=S_IFREG|0755, st_size=50944, ...}) = 0
> > old_mmap(NULL, 45724, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xa6e000
> > old_mmap(0xa78000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
> > 0x9000) = 0xa78000
> > close(3) = 0
> > mprotect(0xa78000, 4096, PROT_READ) = 0
> > munmap(0xf6de6000, 1959) = 0
> > open("/etc/passwd", O_RDONLY) = 3
> > fcntl64(3, F_GETFD) = 0
> > fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=1240, ...}) = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> > 0) = 0xf6de5000
> > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1240
> > close(3) = 0
> > munmap(0xf6de5000, 4096) = 0
> > open("/etc/shadow", O_RDONLY) = 3
> > fcntl64(3, F_GETFD) = 0
> > fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> > fstat64(3, {st_mode=S_IFREG|0400, st_size=827, ...}) = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> > 0) = 0xf6de4000
> > read(3, "root:$1$FSCYGBHy$UjAcKKV6a3lN3ee"..., 4096) = 827
> > close(3) = 0
> > munmap(0xf6de4000, 4096) = 0
> > setgid32(500) = 0
> > getgid32() = 500
> > getegid32() = 500
> > setuid32(500) = 0
> > getuid32() = 500
> > geteuid32() = 500
> > setresgid32(-1, 500, -1) = 0
> > getegid32() = 500
> > chdir("/home/tomcat") = 0
> > getgroups32(32, [0, 1, 2, 3, 4, 6, 10]) = 7
> > write(1, "After: 500 10 6 4 3 2 1 0\n", 26After: 500 10 6 4 3 2 1 0
> > ) = 26
> >
> >
> > On Wed, 2006-08-30 at 11:17 -0400, Jerry Yu wrote:
> > > pardon me, the first 'id -a' should have been:
> > > $ id -a
> > > uid=500 gid=500 groups=0,1,2,3,4,6,10
> > > context=root:system_r:unconfined_t
> > >
> > >
> > > On 8/30/06, Jerry Yu < jjj863 at gmail.com> wrote:
> > > The supplemetary GIDs are still there, after the setgid/setuid
> > > calls. This makes the jailed 'tomcat' has read/write access
> > > granted to group 0 1 2 3 4 6 10. For instance, now tomcat can
> > > read "/proc/net/ip_conntrack" which tomcat outside the jail
> > > wouldn't be able to read.
> > >
> > > before setsid/gid $) = (0 10 6 4 3 2 1 0)
> > > after setsid/gid $) = (500 10 6 4 3 2 1 0)
> > >
> > > $ id -a
> > >
> > > uid=500 gid=500 groups=500 context=root:system_r:unconfine
> > > d_t
> > >
> > > Per 'perldoc perlvar', you'd need to set $)="$gid $gid" to rid
> >
> > > of the extra supplemetary GIDs from the original owner.
> > > $) = (0 10 6 4 3 2 1 0)
> > > $) = (500 500)
> > >
> > > $ id -a
> > > uid=500 gid=500 groups=500 context=root:system_r:unconfined_t
> > >
> > >
> > >
> > > On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com>
> > > wrote:
> > > I figured it out.
> > >
> > > ScriptExecRoot is owned by root but a subdirectory of
> > > SAM which is owned
> > > by tomcat. When I did the chroot even though / was
> > > owned by root I as
> > > tomcat was able to write stuff anywhere I wanted.
> > >
> > > I moved ScriptExecRoot to /opt which is owned by
> > > root. Now when I
> > > chroot I was not able to write anywhere I wanted.
> > >
> > > I guess this is normal behavior but I did not expect
> > > it.
> > >
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list