LSA2 - 02 chrooting
-
Upload
marian-marinov -
Category
Education
-
view
3.233 -
download
0
Transcript of LSA2 - 02 chrooting
Chrooting...
/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/| | |-bin/| | | |-bash| | | |-ruby||-usr/| |-bin/| | |-ruby
/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/| | |-bin/| | | |-bash| | | |-ruby||-usr/| |-bin/| | |-ruby
/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/| | |-bin/| | | |-bash| | | |-ruby||-usr/| |-bin/| | |-ruby
Different software requirements
Different software requirements
Isolation (new software, new bugs)
Different software requirements
Isolation (new software, new bugs)
Security
Chroot within the application
Chroot beforestarting the app
The system call
man 2 chroot
SYNOPSIS #include
int chroot(const char *path);
Chroot within the application
/- start a new child- change the root to ~/ani- change dir to //home/ani- listing files in / will resultin listing the files within /home/ani
Note: does not require any libraries or special setup
/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/|
FTPRuns privileged
childChroot to restrict FS access
childChroot to restrict FS access
Chroot before starting the app
man [1] chroot
SYNOPSIS chroot [OPTION] NEWROOT [CMD [ARG]...] chroot OPTION
- chroot requires /bin/sh- all binaries within the chroot have to have their shared libraries
Find all shared libraries for a binary
$ ldd /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
How to use the Linux linker
$ /lib/ld-linux.so.2 --list /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
How to use the Linux linker
Verify that all shared libraries are present in the chrooted environment
$ /lib/ld-linux.so.2 \--list \--library-path /storage/chroot/lib \/storage/chroot/bin/bash
Warning: Do not forget that sharedlibraries can also be using other shared libraries.
Missing devices?
Missing devices?
Some applications require basic devices to function:
/dev/zero/dev/null/dev/random/dev/urandom
/dev/ttyX or pts/X- terminal access
/dev/log - log to syslog (reconfigure the syslog daemon)
Note: Do not use MAKEDEV. It creates too many unnecessary devices. Use mknod instead.
Installing software in the chroot
RPM based distributionsInitialize the RPM DB in the chroot(/vm1):# mkdir -p /vm1/var/lib/rpm# rpm --root /vm1 --initdb
Install a single RPM in chroot(/vm1):# rpm --root /vm1 -ivh some_package.rpm
Install the RPM package manager into the chroot:# yum --installroot=/vm1 install rpmFollow the last step for any other package....
Installing software in the chroot
Debian based distributionsFor all of you... use debootstrap.
And finally, meet busybox the one tool that has it all :)