Slashdot Mirror
Chroot Jails Made Easy
GonzoJohn writes "There are always difficult jobs to do as a GNU/Linux system administrator. Sometimes the difficulty lies in finding out how to do a particular job, not necessarily the job itself. This can be particularly true in the open source world where documentation can often take a back seat to implementation. But once in a while, you can stumble on a real gem that simplifies even the most difficult administration tasks. One such gem is the Jail Chroot Project. Linux Orbit introduces you to creating chroot-ed environments in this article."
Superfan is nobody's fool
My Turn
By Nick Rymer
October 11, 2002
So, Trey Brannon, I want to congratulate you on your cartoon from Wednesday. Without using my name, you got my likeness down and pinned me for what I am: "a fool."
You better go spread your word, because there are lots of people out there who do not think the same way you do.
I have been on the cover of your paper three or four times - you can go back and check; the first time was in September 1998. Make sure to call the papers in Birmingham and all around the Southeast; I have been covers for their papers, too. Call al.com and tell them the ad they run every year has a fool in it. Call the people at ESPN, CBS and JP Sports and tell them I am a fool!
Why don't you follow me around town before a home game and tell the families who have their picture taken with me that I am a fool? Tell the people who come up and tell me how much they like me or the people who ask me, "Do you remember me? I had my picture made with you at the [fill in name of game here]."
Tell the person who got my jersey for me, the family who gave me my cape, all the people who want me to do free advertisements for them, and the Tide Pride people that the guy they know as "Superfan" is nothing more than a fool.
Where do you get these crazy notions? Do you really want to paint your face or your chest - you know, do something that may be fun and risk exposing yourself to people - and simply lack the courage?
Maybe you feel safer passing judgment on people using a pencil and making pretty little drawings without having to show your own face? A fool, am I? Well, at least this fool has guts.
Of course, the guy you drew was probably not even me. Sunglasses, a cape, earrings and a giant mohawk - it must be some other guy, right? Here's some advice: the next time you try to draw me, just let me know. I'll model so you can get the outfit right.
Seriously, come hang out before the Ole Miss game, and you will see who the fool is. I guarantee it will not be me. Roll Tide!
fp for all you faggorts (jaffk!)
I must have spent a week working through various docs trying to learn this, and most of what I read was either impossible to understand or just inaccurate. Finally I happened upon this, and I refer to it often. Here's the jist of it:
====================
Introduction
Jail Chroot Project is an attempt of write a tool that builds a chrooted environment. The main goal of Jail is to be as simple as possible, and highly portable. The most difficult step when building a chrooted environment is to set up the right libraries and files. Here, Jail comes to the rescue with a tool to automagically configures & builds all the required files, directories and libraries. Jail is licensed under the GNU General Public License.
Jail program has been written using C, and the setup script has been written using a bash script and perl. Jail has been tested under Linux (Debian 2.1 & 2.2, RedHat 6.1, 6.2 and 7.0 and Caldera Openlinux 7.0), Solaris (2.6), IRIX (6.5) and FreeBSD 4.3. Some people has contributed to jail with patches and ideas. Thanks to all of them.
Jail supports lots of interesting features:
Runs on Linux, Solaris, IRIX and freeBSD (tested) and should run in any of the flavours of these operating systems.
Modular design, so you can port Jail in an easy way.
Support for multiple users in a single chrooted environment.
Fully customizable user shell.
Support for multiple servers: telnetd, sshd, ftpd...
Easy to install thanks to the enviroment creation script.
Should work in any UNIX.
Ease of porting.
Allows run any kind of program as a shell.
An html version of the mailing list has been added to the web site. Now you can read all the user contributions, ideas and patches here.
In the long run, though, I hope the standard aproach becomes User Mode Linux.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
the slashdot bunch
by osm
cute-teen-natalie is walking through the yard, carrying her school-books. teen-osm and six-year-old-osm are playing catch with a football. 6-year-old-osm misses the ball and it heads for cute-teen-natalie.
teen-osm: cute-teen-natalie, look out!
it is too late, the ball hits cute-teen-natalie in the head, knocking her hair loose, such that it flows elegantly down her back. she begins to weep and runs inside, the boys follow.
cute-teen-natalie: mom! mom! oh, this is awful!
hemos: what is it dear?
cute-teen-natalie: the football hit me on the side of the head. it knocked my hair loose so that it flows elegantly down my back! i am now even more beautiful! this is awful!
female-signal 11 and male-signal 11 enter the kitchen.
female-signal 11: mom!
hemos: what is it, signal 11?
male-signal 11: we are tired of being the middle child! we are tired of having to play with ourself in the basement!
hemos: signal 11, i told you not to play with yourself! that is why you are in the basement in the first place! six-year-old-natalie, come in here!
six-year-old-natalie joins the others in the kitchen.
six-year-old-natalie: yes, mother?
hemos: now, you, six-year-old-osm, cute-teen-natalie and teen-osm have been very mean to signal 11. i want you and six-year-old-osm to go to your room until supper. the same goes for cute-teen-natalie and teen-osm.
six-year-old-natalie: oh, six-year-old-osm, finally we may explore each other in our childlike innocence! how my undeveloped breasts and unfattened buttocks have yearned for your boyish hand!
six-year-old-osm: hooray!
the six-year-olds hold hands as they skip off to their room.
cute-teen-natalie: teen-osm! we may finally consumate our teen curiosities! how my pouting teen breasts tingle under my bodice! how my rump quivers in anticipation!
teen-osm: by my open-source hand shall you take the next step to womanhood!
cute-teen-natalie & teen-osm: hooray!
teen-osm throws cute-teen-natalie over his shoulder and carries her to their room.
male & female signal 11 turn to leave through the patio door.
hemos: where are you going signal 11?
male-signal 11: nobody appreciates us here. we are going to run away and gain feelings of acceptance by bribing slashdot moderators with cheap crack to give us karma.
hemos: hooray!
cmdrtaco enters the front door, carrying a brief-case.
cmdrtaco: hi, honey! i'm home!
hemos: oh, cmdrtaco! let us retire to the bedroom and frolick like the playful imps we are! all day, i have been dreaming of commanding your taco into my throbbing rectum.
as hemos and cmdrtaco walk to the bedroom holding hands, rms enters the kitchen. he removes several pans filled with meat from the oven.
rms: hey! doesn't anyone want a piece of this gnu?! well, i guess i'll have to eat it myself. shoot, just when i was trying to lose some weight.
laugh track, applause.
Site is slashdotted, all the pages are screenshotted to here
First he fried my data
...... Supreme court.. here I come
Then he formatted my drive
Then he garbled my project
But.. I am *not* going to let him put me in jail too! Rise ye users. This is a conspiracy by all admins to jail us. they are violating our DMCA RIAA CIAA BIDA
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
Funny to see an article boosting them when a "jailbreak" is considered simple by both people in the know AND Bugtraq folks.
Jail is a term taken from BSD.
/something bin, and /something becomes root direcorty (/) of run program. This program can't open for example /etc/passwd, because _real_ /etc doesn't exist in it's /. Chrooted program's /etc is in fact /something/etc. /dev) inside chroot, mount it, and ... voila! You have access to whole disk. Chroot is broken. Of course, you must have access for making file, but must chroot have.
In BSD, jail and chroot are two different things, althrough very similar. There exist two syscalls - jail() and chroot().
What's the difference?
Chroot is ordinary chroot, the same as in linux. You do chroot
But if you goot root priviledges you can easily break chroot. Just make a special file named 'hda1' beeing a device node (like those in
Jail is slightly different. It not only hold process in some directory. It's also *restrict* certain *syscalls*. So you can't mount anything, change network settings and some more. Jail is more restrictive and probably you can't break it even if you have root access in jail.
Jail, because of blocking syscalls, must have some help from kernel. Right now, there is a jail() in FreeBSD and probably NetBSD. OpenBSD don't have it - Theo says it's too complicated to be secure. Also Linux don't have jail().
If you want more information, browse FreeBSD man pages, avaiable online.
:wq
From the site:
Again, not to minimize the outstanding work here, but what if I want to create chroot jails for the LAMP class I'm teaching (I'm not really, but this seems like a cool application) so they can all have their own Apache installations? It sounds like chroot will know to move the httpd binary and the required shared libraries, but what about the rest of the admin shell scripts, server root, shared icons dir, mime types file, etc.?
Then what happens if I want to upgrade? My guess is a fair amount of bootstrapping needs to be done in the new root....
What might be really cool is for addjailsw to be RPM-aware so I could do a addjailsw mod_ssl-2.8.7-6 which would get a list of necessary files and package dependencies and install them in the new root and update the RPM DB in the new root as well.
Maybe just wishful thinking....
moto411.com
Much better and much more comprehensively. To tell you the truth, there is nothing original in Linux. That is to say, Linux is less original than most open source software. Not a troll, the truth.
Although they are a step towards higher security, chroot jails are not infallible.
If there's a security hole in an application, it's still possible for an attacker to get root (but yes, they'll be confined to the chroot environment).
But then, under Linux, at least, the attacked will still be able to mount /proc, if they find a way of getting binaries into the machine, which will enable a number of possible attacks on the machine, by altering stuff under /proc/sys.
It may also be possible for the attacker to create device files (eg, /dev/hda) and write directly to the disk.
So, all in all, even if you're running in a chroot jail, it helps to make sure your apps are running as non-root, if you can. authbind is your friend.
-- Even if a god did exist, why the fsck should I worship it?
Though it seems like a virtual system, a chroot cell is not totally virtual, and there can still be plenty of comprosmises.
h tml
Like usual, all you need is access to a compiler, and you can make a jailbreak. In fact, there's a whole guide to it here:
http://www.bpfh.net/simes/computing/chroot-break.
If the whole jail resided in its own actual virtual Linux machine, where nasty things cannot break the account, just the session, they would be quite a bit more effective.
This book will teach how to jail apache.
This is such a weak idea. What we really need are fine-grained capabilities. Chroot is a very blunt way to implement some vague semblance of that. Check out: http://www.eros-os.org for a system which implements sane security. Chroot is just a band-aid that helps stop the bleeding but doesn't fix anything.
Note that our 'Jail' software developer has the username 'assman'.
/jail/index.html
http://www.gsyc.inf.uc3m.es/ ~assman
it would be nice to see, rather than just plain chroot with its own directories and such, a 'chmod jail', which acts as a symlink to other directories (no need to copy libs) yet makes certain alterations impossible for any user (even root)
-- 'The' Lord and Master Bitman On High, Master Of All
The chroot environment is trivial to get out of if you're still running as root. Obviously if there's an exploit that lets you get root access even inside a chroot environment, then you can get out of that chroot environment.
The C source code is here.
now we need to go OSS in diesel cars
You don't even need a device to get out of chroot. See my other comment to this story.
now we need to go OSS in diesel cars
I have been using chroot for many years, mostly with the big three (Apache bind and sendmail). However, I would never rely solely on chroot for security.
It is rediculous to do a Maxwell Smart and put 10 locks on your front door when the window is wide open. You are always better to rely upon a locked box, inside a locked box, inside a locked box etcetera, Rather than OUMF lock!
OUMF??? you say (new proposed acromyn)...
Just think of Arnie in Predator when he says to the alien "You're one ugly mother f......"
From excellent karma to terible karma with a single +5 funny post...
Note that there is a project that attempts to add jail-syscall-like functionality to the Linux kernel: vserver.
I haven't tested it yet, but it looks very promising.
Sig (appended to the end of comments I post, 54 chars)
*
This can be particularly true in the open source world where documentation can often take a back seat to implementation.
*
I dont know to what degree this is meant, but I would never find myself stating this alone. I think open source generally has incredible documentation. The only comparison to open source is closed source, and I don't think there is much of a question of which one is stronger at documentation. Even when I do find closed source documentation, it is rarely verbose enough. Another strong point to open source documentation is that it is only getting better. While most closed source development just leaves release info and install info (often just informing the location of files), open source documentation projects are often an undermovement to projects themselves. I don't deny there are exceptions, like this article and some other projects, systems, etc (particularly very small ones), but if it wasnt for the incredible open source documentation out there, that is so persistently provided that I always expect it, then I wouldnt have ever been able to detach myself from the closed source hells I have been used to.
In jail, In jail without no bail
In jail, In jail because we failed!
Its this easy
chmod -r 000 /
The Medusa project allows the implementation of system call policies in Linux. Google for it. I think with smart rulesets; chroot and jail are all redundant. For example, denying untrusted user set*id access (toppled by smart fileaccess privileges) renders most "security" attacks useless for that user (he cannot cause any real damage other than DoS, which can also be stopped by implementing thread/fork timers for that user).
and don't need to create this sort of thing at all.
Does anyone know of a similar method that can authenticate users out of a virtual user database?
If this is possible, then this would diminish the value of even kernel level ACLs on files and processes. For example, grsecurity and LIDS.
BTW I just followed the instructions listed in another comment in this discussion in order to break out of my own chroot instantly. Wow. :-/ Well at least it's still fine as long as there's no way to gain UID 0 privilege inside a chroot, such as if the network daemon runs as non-UID0 and there are no userspace tools in the chroot.
So, while chroot may be good, do not rely on it soley for security.
If it's vulnerable, doesn't that usually mean that it's not set up well?
What's this Submit thingy do?
A bunch of people have taken the ideas of isolating programs or users into jails even further. Take a look at this site.
no superuser = nothing to compromise
File access is via a dedicated server
Authentication for file access to the fileserver is from a dedicated server.
Users log into a third group of machines - CPU servers.
Local access means nothing. You can't escalate your privileges because there are none to escalate to.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
WTF is GNU/Linux. Just because Linux uses GNU utilities in his system doesn't give Dick Stallman the right to rename it. Last I heard Linux Torval owned the trademark to Linux, not Dick. Please blow off this wanker who wantes to subvert and control projects like XEmacs, and Linux.
I would like to see chroot jails become a more regular part of the OS.
User Mode Linux is going in the right direction with this.
But what I think we really need is a versioning file system. Rather than creating new copies of system files for each jail, such a file system could provide each jail with a read-only copy of original system files. Any modifications to those files would be versioned-out and specific to that jail.
Is anything like that being worked on?
At last! A solution to our overcrowded prison system!
Or so I thought.
Robort knows all.
I've been using ~assman's chroot for some time. In fact, it works with SSH and various other programs because of feedback I did with the project owner.
Yeah, chroot is not absolute. Neither is anything else. But, it's a great way to make sure that your clients don't see anything they aren't supposed to.
Combine chroot with SSH-only connections, and you have a real step in the area of security and/or privacy.
Again, read the subject, SECURITY IS NOT ABSOLUTE! But any step you make to prevent unwanted activity is a step in the right direction. Enough thwarting of "bad" behavior means the black hat will quit or look elsewhere, and that means you've won.
Security is not about absolutes; it's about risk management. Only idiots think that something is "secure" or it's "not". Chroot is a valid tool in the direction of more secure.
I have no problem with your religion until you decide it's reason to deprive others of the truth.