[ale] Doing a chroot in Perl
Christopher Fowler
cfowler at outpostsentinel.com
Wed Aug 30 14:31:48 EDT 2006
Works now!
$ ps > /out.t
/bin/sh: cannot create /out.t: Permission denied
$
$) = "$gid $gid";
On Wed, 2006-08-30 at 14:17 -0400, Christopher Fowler wrote:
> setgid $gid;
> $) = ($gid, $gid);
> setuid $uid;
> chdir $dir;
>
> print "After: $)\n"
>
> Before: 0 10 6 4 3 2 1 0
> After: 500 10 6 4 3 2 1 0
>
>
> On Wed, 2006-08-30 at 13:46 -0400, Jerry Yu wrote:
> > also, $) modification needs to be between setgid and setuid to be
> > effective too.
> >
> > setgid $gid;
> > $) = "$gid $gid";
> > setuid $uid;
> >
> >
> > On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> > per perlvar, I used the following which is passed to setgroups
> > () and it is effective.
> > $) = "$gid $gid";
> >
> >
> > On 8/30/06, Christopher Fowler < cfowler at outpostsentinel.com>
> > wrote:
> > Here is what is going on in kernel space:
> >
> > write(1, "Before: 0 10 6 4 3 2 1 0\n", 25Before: 0 10
> > 6 4 3 2 1 0
> > ) = 25
> > chroot("/opt/SAM/ScriptExecRoot") = 0
> > socket(PF_FILE, SOCK_STREAM, 0) = 3
> > connect(3, {sa_family=AF_FILE,
> > path="/var/run/nscd/socket"}, 110) = -1
> > ENOENT (No such file or directory)
> > close(3) = 0
> > open("/etc/nsswitch.conf", O_RDONLY) = 3
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=1687, ...})
> > = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> > MAP_ANONYMOUS, -1,
> > 0) = 0xf6de7000
> > read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"...,
> > 4096) = 1687
> > read(3, "", 4096) = 0
> > close(3) = 0
> > munmap(0xf6de7000, 4096) = 0
> > open("/usr/lib/perl5/5.8.3/i386-linux-thread-
> > multi/CORE/libnss_files.so.2", O_RDONLY) = -1 ENOENT
> > (No such file or
> > directory)
> > open("/etc/ld.so.cache", O_RDONLY) = 3
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=1959, ...})
> > = 0
> > old_mmap(NULL, 1959, PROT_READ, MAP_PRIVATE, 3, 0) =
> > 0xf6de6000
> > close(3) = 0
> > open("/lib/libnss_files.so.2", O_RDONLY) = 3
> > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0
> > \0`\33\0\000"...,
> > 512) = 512
> > fstat64(3, {st_mode=S_IFREG|0755, st_size=50944, ...})
> > = 0
> > old_mmap(NULL, 45724, PROT_READ|PROT_EXEC,
> > MAP_PRIVATE, 3, 0) = 0xa6e000
> > old_mmap(0xa78000, 8192, PROT_READ|PROT_WRITE,
> > MAP_PRIVATE|MAP_FIXED, 3,
> > 0x9000) = 0xa78000
> > close(3) = 0
> > mprotect(0xa78000, 4096, PROT_READ) = 0
> > munmap(0xf6de6000, 1959) = 0
> > open("/etc/passwd", O_RDONLY) = 3
> > fcntl64(3, F_GETFD) = 0
> > fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=1240, ...})
> > = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> > MAP_ANONYMOUS, -1,
> > 0) = 0xf6de5000
> > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096)
> > = 1240
> > close(3) = 0
> > munmap(0xf6de5000, 4096) = 0
> > open("/etc/shadow", O_RDONLY) = 3
> > fcntl64(3, F_GETFD) = 0
> > fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
> > fstat64(3, {st_mode=S_IFREG|0400, st_size=827, ...}) =
> > 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> > MAP_ANONYMOUS, -1,
> > 0) = 0xf6de4000
> > read(3, "root:$1$FSCYGBHy$UjAcKKV6a3lN3ee"..., 4096) =
> > 827
> > close(3) = 0
> > munmap(0xf6de4000, 4096) = 0
> > setgid32(500) = 0
> > getgid32() = 500
> > getegid32() = 500
> > setuid32(500) = 0
> > getuid32() = 500
> > geteuid32() = 500
> > setresgid32(-1, 500, -1) = 0
> > getegid32() = 500
> > chdir("/home/tomcat") = 0
> > getgroups32(32, [0, 1, 2, 3, 4, 6, 10]) = 7
> > write(1, "After: 500 10 6 4 3 2 1 0\n", 26After: 500
> > 10 6 4 3 2 1 0
> > ) = 26
> >
> >
> > On Wed, 2006-08-30 at 11:17 -0400, Jerry Yu wrote:
> > > pardon me, the first 'id -a' should have been:
> > > $ id -a
> > > uid=500 gid=500 groups=0,1,2,3,4,6,10
> > > context=root:system_r:unconfined_t
> > >
> > >
> > > On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> > > The supplemetary GIDs are still there, after
> > the setgid/setuid
> > > calls. This makes the jailed 'tomcat' has
> > read/write access
> > > granted to group 0 1 2 3 4 6 10. For
> > instance, now tomcat can
> > > read "/proc/net/ip_conntrack" which tomcat
> > outside the jail
> > > wouldn't be able to read.
> > >
> > > before setsid/gid $) = (0 10 6 4 3 2 1 0)
> > > after setsid/gid $) = (500 10 6 4 3 2 1
> > 0)
> > >
> > > $ id -a
> > >
> > > uid=500 gid=500 groups=500
> > context=root:system_r:unconfine
> > > d_t
> > >
> > > Per 'perldoc perlvar', you'd need to set
> > $)="$gid $gid" to rid
> > > of the extra supplemetary GIDs from the
> > original owner.
> > > $) = (0 10 6 4 3 2 1 0)
> > > $) = (500 500)
> > >
> > > $ id -a
> > > uid=500 gid=500 groups=500
> > context=root:system_r:unconfined_t
> > >
> > >
> > >
> > > On 8/30/06, Christopher Fowler
> > <cfowler at outpostsentinel.com >
> > > wrote:
> > > I figured it out.
> > >
> > > ScriptExecRoot is owned by root but
> > a subdirectory of
> > > SAM which is owned
> > > by tomcat. When I did the chroot
> > even though / was
> > > owned by root I as
> > > tomcat was able to write stuff
> > anywhere I wanted.
> > >
> > > I moved ScriptExecRoot to /opt which
> > is owned by
> > > root. Now when I
> > > chroot I was not able to write
> > anywhere I wanted.
> > >
> > > I guess this is normal behavior but
> > I did not expect
> > > it.
> > >
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list