[ale] Doing a chroot in Perl
Christopher Fowler
cfowler at outpostsentinel.com
Wed Aug 30 10:18:11 EDT 2006
I figured it out.
ScriptExecRoot is owned by root but a subdirectory of SAM which is owned
by tomcat. When I did the chroot even though / was owned by root I as
tomcat was able to write stuff anywhere I wanted.
I moved ScriptExecRoot to /opt which is owned by root. Now when I
chroot I was not able to write anywhere I wanted.
I guess this is normal behavior but I did not expect it.
On Wed, 2006-08-30 at 09:54 -0400, Jerry Yu wrote:
> I set up a quick jail myself on CentOS 4 and I think I found some
> clues to the symptoms: The shell by Exec after chroot is not all that
> clean. Note that inside the jail, I am 500/500, with alternate group 0
> (root)?!
>
> Maybe there is a problem with my quickie jail, since I couldn't really
> create a file on /junk ( a good thing?)
> /tmp/1/2# perl ~jyu/bin/chroot.pl
> $ id -a
> uid=500 gid=500 groups=0,1,2,3,4,6,10
> context=root:system_r:unconfined_t
> $ echo $HOME
> /root
> $ echo $LOGNAME
> root
> $ date > /junk
> cannot create /junk: permission denied
> $ date > /home/jyu/junk
> $ ls -ltr /home/jyu/junk
> -rw-r--r-- 1 500 500 29 Aug 30 13:47 /home/jyu/junk
>
> On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com> wrote:
> On Wed, 2006-08-30 at 08:39 -0400, Jerry Yu wrote:
> > what exactly is the permission on your jail / (aka,
> ScriptExecRoot)?
>
> Being able to not delete the file like in the example below is
> normal.
> I recreated that in the system root.
>
> What I find strange is that I do the following
>
> 1. chroot to /opt/SAM/FC2/ScriptExecRoot
> 2. use setuid() and setgid() to change to UID/GID 500
> (tomcat).
> 3. Now as user tomcat I do command ps or ls and send
> output to / (chroot root) /out.txt
>
> I can do that in the jail but not in the regular system as
> user tomcat
>
>
> > [tomcat at sam-demo /]$ ps > /out.txt
> -bash: /out.txt: Permission denied
> [tomcat at sam-demo /]$ sudo /opt/SAM/ScriptExecRoot/bin/exec.pl
>
>
> BusyBox v1.2.1 (2006.08.29-17:16+0000) Built-in shell (ash)
> Enter 'help' for a list of built-in commands.
>
> $ ps > /out.txt
> $ ls -l /out.txt
> -rw-r--r-- 1 500 500 6689 Aug 30
> 08:49 /out.txt
> $
>
> This is where I'm getting confused. Probably just a
> permissions problem
> with the fact that ScriptExecRoot is owned by root but exists
> in a
> directory owned by tomcat.
>
> > On 8/30/06, Christopher Fowler <
> cfowler at outpostsentinel.com> wrote:
> > This is kinda strange. On this same example I'm now
> outside
> > of my
> > chroot jail and I can not delete a file that is
> owned by me
> > I created that file in the jail. I've not figured
> out why I
> > was able to
> > do that. Since the '/' of the jail is owned by
> root.
> >
> > [tomcat at sam-demo ScriptExecRoot]$ whoami
> > tomcat
> > [tomcat at sam-demo ScriptExecRoot]$ ls -l
> > total 276
> > drwxrwxr-x 2 root root 4096 Aug 30 07:58
> bin
> > drwxr-xr-x 23 root root 233472 Aug 26 18:25
> dev
> > drwxr-xr-x 2 root root 4096 Aug 30 08:02
> etc
> > drwxr-xr-x 3 root root 4096 Aug 26 18:20
> home
> > dr-xr-xr-x 2 root root 4096 Aug 26 20:02
> lib
> > drwxr-xr-x 6 root root 4096 Aug 27 14:54
> opt
> > -rw-r--r-- 1 tomcat tomcat 6689 Aug 30 08:02
> out.txt
> > dr-xr-xr-x 202 root root 0 Apr 18 05:32
> proc
> > drwxr-xr-x 2 root root 4096 Aug 26 18:21
> root
> > drwxrwxr-x 2 root root 4096 Aug 26 17:31
> sbin
> > drwxrwxrwt 2 root root 4096 Aug 28 15:41
> tmp
> > drwxrwxr-x 4 root root 4096 Aug 30 07:59
> usr
> >
> > I'm outside the jail as user tomcat and I try to
> delete the
> > file I
> > created inside the jail as tomcat. I can't do it.
> >
> > [tomcat at sam-demo ScriptExecRoot]$ rm out.txt
> > rm: cannot remove `out.txt': Permission denied
> >
> >
> >
> > On Tue, 2006-08-29 at 12:35 -0400, Christopher
> Fowler wrote:
> > > I doing something wrong in my test program. This
> program
> > takes an
> > > argument and executes it in a chroot
> environment. If not
> > argument is
> > > given it will simply execute the shell instead.
> > >
> > > This is part of my script execution that I asked
> about a
> > week or so ago.
> > > I am now going to extract the script from the
> database and
> > place it in a
> > > chroot environment. I will then execute it from
> there. I'm
> > using this
> > > test program before I integrate it into the main
> code.
> > >
> > > --- [ Cut
> Here ]-------------------------------------
> > > #!/usr/bin/perl
> > >
> > > use POSIX qw/setuid setgid/;
> > > use strict;
> > >
> > > # Globals
> > > my $root = "/opt/SAM/ScriptExecRoot";
> > >
> > > sub main {
> > >
> > > # Verify if proc is mounted
> > > # if not mount it for the user
> > > if(! -d "$root/proc/1") {
> > > system "mount -o bind /proc $root/proc";
> > > }
> > >
> > >
> > > # Setup default language
> > > # This root does not support locale
> > > # and perl needs this
> > > $ENV{'LANG'} = "C";
> > > $ENV{'PATH'} = "$ENV{'PATH'}:/sbin:/usr/sbin";
> > >
> > > # Change our root and
> > > # set our uid
> > > chroot $root;
> > >
> > > my ($name,$pass,$uid,$gid,undef,undef,undef,
> $dir) =
> > getpwnam("tomcat")
> > > or die;
> > >
> > > setgid $uid;
> > > setuid $uid;
> > > chdir $dir;
> > >
> > > # No argument? Just exec a shell
> > > if($#ARGV == -1 ) {
> > > exec "/bin/sh"
> > > or die "exec $!\n";
> > > }
> > >
> > > exec "/bin/sh", ("-c", @ARGV)
> > > or die "exec $!\n";
> > > }
> > >
> > > exit main;
> > > --- [ Cut
> Here ]-------------------------------------
> > >
> > > The problem is that I'm able to do stuff I should
> not be
> > able to.
> > >
> > > Here is output
> > >
> > > --- [ Cut
> Here ]-------------------------------------
> > > [root at sam-demo ScriptExecRoot]# bin/exec.pl
> > >
> > >
> > > BusyBox v1.2.1 (2006.08.26-21:30+0000) Built-in
> shell (ash)
> > > Enter 'help' for a list of built-in commands.
> > >
> > > $ ps > /
> > > $ ls -l /out
> > > -rw-r--r-- 1 500 500 6998 Aug 26
> 23:42 /out
> > > $
> > > [root at sam-demo ScriptExecRoot]# ls -l
> > > total 276
> > > drwxrwxr-x 2 root root 4096 Aug 26 19:42
> bin
> > > drwxr-xr-x 23 root root 233472 Aug 26 18:25
> dev
> > > drwxr-xr-x 2 root root 4096 Aug 26 19:28
> etc
> > > drwxr-xr-x 3 root root 4096 Aug 26 18:20
> home
> > > dr-xr-xr-x 2 root root 4096 Aug 26 19:29
> lib
> > > drwxr-xr-x 3 root root 4096 Aug 26 17:58
> opt
> > > -rw-r--r-- 1 tomcat tomcat 6998 Aug 26 19:42
> out
> > > dr-xr-xr-x 209 root root 0 Apr 18 05:32
> proc
> > > drwxr-xr-x 2 root root 4096 Aug 26 18:21
> root
> > > drwxrwxr-x 2 root root 4096 Aug 26 17:31
> sbin
> > > drwxrwxrwt 2 root root 4096 Aug 26 19:42
> tmp
> > > drwxrwxr-x 3 root root 4096 Aug 26 17:29
> usr
> > > --- [ Cut
> Here ]-------------------------------------
> > >
> > > As you can see /out is owned by tomcat.tomcat but
> why was he
> > able to
> > > place anything in /out? Probably something simple
> I'm not
> > seeing or
> > > forgot to do.
> > >
> > > Thanks,
> > > Chris
> > >
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list