[ale] Doing a chroot in Perl
Christopher Fowler
cfowler at outpostsentinel.com
Wed Aug 30 12:12:55 EDT 2006
Here is what is going on in kernel space:
write(1, "Before: 0 10 6 4 3 2 1 0\n", 25Before: 0 10 6 4 3 2 1 0
) = 25
chroot("/opt/SAM/ScriptExecRoot") = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1687, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xf6de7000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1687
read(3, "", 4096) = 0
close(3) = 0
munmap(0xf6de7000, 4096) = 0
open("/usr/lib/perl5/5.8.3/i386-linux-thread-
multi/CORE/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1959, ...}) = 0
old_mmap(NULL, 1959, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf6de6000
close(3) = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\33\0\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=50944, ...}) = 0
old_mmap(NULL, 45724, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xa6e000
old_mmap(0xa78000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x9000) = 0xa78000
close(3) = 0
mprotect(0xa78000, 4096, PROT_READ) = 0
munmap(0xf6de6000, 1959) = 0
open("/etc/passwd", O_RDONLY) = 3
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1240, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xf6de5000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1240
close(3) = 0
munmap(0xf6de5000, 4096) = 0
open("/etc/shadow", O_RDONLY) = 3
fcntl64(3, F_GETFD) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
fstat64(3, {st_mode=S_IFREG|0400, st_size=827, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xf6de4000
read(3, "root:$1$FSCYGBHy$UjAcKKV6a3lN3ee"..., 4096) = 827
close(3) = 0
munmap(0xf6de4000, 4096) = 0
setgid32(500) = 0
getgid32() = 500
getegid32() = 500
setuid32(500) = 0
getuid32() = 500
geteuid32() = 500
setresgid32(-1, 500, -1) = 0
getegid32() = 500
chdir("/home/tomcat") = 0
getgroups32(32, [0, 1, 2, 3, 4, 6, 10]) = 7
write(1, "After: 500 10 6 4 3 2 1 0\n", 26After: 500 10 6 4 3 2 1 0
) = 26
On Wed, 2006-08-30 at 11:17 -0400, Jerry Yu wrote:
> pardon me, the first 'id -a' should have been:
> $ id -a
> uid=500 gid=500 groups=0,1,2,3,4,6,10
> context=root:system_r:unconfined_t
>
>
> On 8/30/06, Jerry Yu <jjj863 at gmail.com> wrote:
> The supplemetary GIDs are still there, after the setgid/setuid
> calls. This makes the jailed 'tomcat' has read/write access
> granted to group 0 1 2 3 4 6 10. For instance, now tomcat can
> read "/proc/net/ip_conntrack" which tomcat outside the jail
> wouldn't be able to read.
>
> before setsid/gid $) = (0 10 6 4 3 2 1 0)
> after setsid/gid $) = (500 10 6 4 3 2 1 0)
>
> $ id -a
>
> uid=500 gid=500 groups=500 context=root:system_r:unconfine
> d_t
>
> Per 'perldoc perlvar', you'd need to set $)="$gid $gid" to rid
> of the extra supplemetary GIDs from the original owner.
> $) = (0 10 6 4 3 2 1 0)
> $) = (500 500)
>
> $ id -a
> uid=500 gid=500 groups=500 context=root:system_r:unconfined_t
>
>
>
> On 8/30/06, Christopher Fowler <cfowler at outpostsentinel.com>
> wrote:
> I figured it out.
>
> ScriptExecRoot is owned by root but a subdirectory of
> SAM which is owned
> by tomcat. When I did the chroot even though / was
> owned by root I as
> tomcat was able to write stuff anywhere I wanted.
>
> I moved ScriptExecRoot to /opt which is owned by
> root. Now when I
> chroot I was not able to write anywhere I wanted.
>
> I guess this is normal behavior but I did not expect
> it.
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list