On Thu, Dec 14, 2000 at 02:02:20AM -0600, Austad, Jay wrote:
> I learned a very important thing from this though, chroot everything
> you can, especially BIND.  

Had a little project last night.  I wanted to run the 'folding at home'
binary in a chroot environment.  Why?

    1)  I don't have the source code, :. I cannot audit it's security.
    2)  It's in binary format.  Even if I had the source code, how
        could I tell whether or not someone added an assembly code
        hack to the binary?
       
So.  Since there was no documentation available as to what files or
system calls this program needed, I had to trace these things down to
create the chroot environment.

For those of you who do not know, chroot(1) is an application that
emulates a virtual root ('/') directory heirarchy for a given binary
program.  As such, you must make sure that any file, library, or
binary that the program expects to see is present in the fake root
directory, as it will not be able to access any files outside this
environment.

What I found out about the 'foldingathome' binary was that it was not
dynamically linked to any libraries directly:

    bash$ ldd foldingathome
    <no results>

However, when I ran strace on it (system trace), I got this type of
output in the stderr stream.  Incidentally, I ran it with the
following command line:

    bash$ strace ./foldingathome &> trace.out&
    bash$ tail -f trace.out

This is what I saw (I'm going to snip it to the important stuff):

execve("./foldingathome", ["./foldingathome"], [/* 34 vars */]) = 0
.
. [snip] Note #1
.
open("/etc/resolv.conf", O_RDONLY)      = 5
.
. [snip] Note #2
.
socket(PF_UNIX, SOCK_STREAM, 0)         = 5
connect(5, {sin_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused)
close(5)                                = 0
.
. [snip the rest]

So, we can surmise that we need a few files in the filesystem for this
application to run.

    open("/etc/resolv.conf", O_RDONLY)      = 5
    open("/etc/nsswitch.conf", O_RDONLY)    = 5
    open("/etc/ld.so.cache", O_RDONLY)      = 5
    open("/lib/libnss_files.so.2", O_RDONLY) = 5
    open("/lib/libc.so.6", O_RDONLY)        = 5
    open("/lib/ld-linux.so.2", O_RDONLY)    = 5
    open("/etc/host.conf", O_RDONLY)        = -1 ENOENT 
            (No such file or directory)

Notice that I didn't have /etc/host.conf in the chroot environment and
the OS returned a ENOENT or Error No Entry.  So, the lesson is this.
If you don't have any information about the program, you can still
figure out how it's operating with your filesystem and operating
system.

The final resulting command, after all the files were placed in the
fake root directory was:

    bash$ sudo chroot /home/folding/chroot /folding/foldingathome&

Now, I'll probably out any of the testing binaries (such as bash and
strace) from the chroot jail.  Then set up an init.d script in my real
root system to start and stop this folding at home using the
start-stop-daemon so that I can change the uid/gid of the program to
something less powerful than root (which you need to run chroot).

It may be helpful to run the binary under strace for a while during
your test runs to see if anything pops up later on that you missed
initially.  If the program dies unexpectedly, at least you can see if
it ties into a failure in a system call of some kind.

Anyway, good lock chroot'ing!

-- 
Chad "^chewie, gunnarr" Walstrom <chewie at wookimus.net>
             http://www.wookimus.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20001215/c61ac661/attachment.pgp