Chroot and jail

The so-called "prison" refers to modifying the root folder that a process can see through the chroot mechanism, that is, limiting a process to a specified folder, ensure that the process can only take actions on the files in the folder and Its subfolders, so as to ensure the security of the entire server.

Create a chroot "prison"

Once, daemon on Unix/Linux was started with the root permission. At that time, this seemed to be a matter of course, because server software such as Apache had to be bound to a "well-known" port (less than 1024) to listen for HTTP requests, root is the only user with such permissions.

However, server security is under greater threat as attackers become increasingly active, especially the surge in the number of buffer overflow vulnerabilities. Once a network service has a vulnerability, the attacker can ask and control the entire system. Therefore, to mitigate the negative impact of such attacks, server software is usually designed to start with root permissions, and then the server process gives up root, execute the process with a low-privilege system account. The advantage of this method is that, once the service is exploited by attackers to intrude into the service, because the process permission is very low, the attacker obtains the lower permission for asking questions, the harm to the system is much less than it has ever been.

Some attackers will try to find other system vulnerabilities to escalate permissions until they reach the root level. Because local security is much lower than remote security protection, attackers are very likely to find something in the system that can improve their permissions. Even if a local vulnerability is not found, attackers may cause other damages, such as deleting files and modifying the home page.

To further improve system security, the Linux kernel introduces the chroot mechanism. Chroot is a system call in the kernel. The software can call the database function chroot to change the root folder that a process can see. For example, Apache is installed in the/usr/local/httpd/folder and started as a root user (or other account with the same permissions, the parent process with this root permission will derive several sub-processes executed with the nobody permission, depending on the personal settings. The parent process listens to the TCP data stream of the request from 80 port, and then allocates the request to a sub-process for Processing Based on the internal algorithm. In this case, the folder of the Apache sub-process inherits from the parent process, that is,/usr/local/httpd /.

However, if the folder permission settings are incorrect, the attacked Apache sub-process can ask/usr/local,/usr,/tmp, or even the entire file system, because the root folder of the Apache process is still the root of the entire file system. If you can use chroot to restrict Apache to/usr/local/httpd, all files that Apache can access are files under/usr/local/httpd/or subfolders. The function of creating a chroot "prison" is to restrict the process permission to a subtree in the file system folder tree.

Why jail?

One problem with chroot is that all programs, configuration files, and library files required for software execution must be installed in the chroot folder in advance, this folder is usually called chroot jail (chroot "prison "). Suppose you want to execute/sbin/httpd in "prison", but you cannot see the real/sbin folder in the file system. Therefore, you must create a/sbin folder in advance and copy httpd to it. At the same time, httpd requires several library files. Execute the following command to view these library files (executed in a real file system ).

#ldd /sbin/httpdlibaprutil-0.so.0 => /usr/local/httpd/lib/libaprutil-0.so.0 (0x40017000)libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x4003c000)libdb-4.0.so => /lib/libdb-4.0.so (0x40043000)libpthread.so.0 => /lib/tls/libpthread.so.0 (0x400eb000)libexpat.so.0 => /usr/lib/libexpat.so.0 (0x400f8000)libapr-0.so.0 => /usr/local/httpd/lib/libapr-0.so.0 (0x40118000)librt.so.1 => /lib/librt.so.1 (0x40139000)lIBM.so.6 => /lib/tls/lIBM.so.6 (0x4014b000)libcrypt.so.1 => /lib/libcrypt.so.1 (0x4016d000)libnsl.so.1 => /lib/libnsl.so.1 (0x4019a000)libdl.so.2 => /lib/libdl.so.2 (0x401af000)libc.so.6 => /lib/tls/libc.so.6 (0x42000000)/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

This means you also need to create the Lib folder in "prison" and copy the library file to it. This work can be handed over to the computer, and jail and other software packages can be used to help simplify the chroot "prison" establishment process.

Compile and install jail

Developed by the mongochroot project team. This package includes C Programs, Perl programs, and bash scripts that help you create chroot "prison.

First place jail.tar.gz in a random folder, and then run the command:
# Tar xzvf jail.tar.gz & CD jail/src

Modify the MAKEFILE file according to your actual situation, especially the installation path (default installation path is/usr/local) and Architecture (jail supports Linux, FreeBSD, Irix, and Solaris ), and compilation options. Run the following command:
# Make & make install

Create a chroot "prison" for jail"

Now, create a folder as the chroot "prison". Take/var/chroot/as an example. Run the following command to create an environment for chroot "prison:
#/Usr/local/bin/mkjailenv/var/chroot

In this way, "prison" is built. The jail package provides several Perl scripts as its core commands, including mkjailenv, addjailuser, and addjailsw. For example, addjailsw copies binary executable files and other related files (including library files, auxiliary files, and Device Files) from the real file system to the "prison.

Add "prison" for jail? Software

Next we need to add the "prison? Some software so that it can be executed. Run the following command to install some major software, including ls, Cat, CP and other programs and library files such as ld-linux.so.2.
#/Usr/local/bin/addjailsw/var/chroot

In fact, it is not enough to only have these basic software, and some practical things must be limited. The following example shows how to add "prison guard? ARP process:

#/usr/local/bin/addjailsw /var/chroot -P arpaddjailswA component of Jail (version 1.9 for linux)http://www.jmcresearch.com/projects/jail/Juan M. Casillas <[email protected]>Guessing arp args(0)Warning: file .//lib/tls/libc.so.6 exists. Overwritting itWarning: file .//lib/ld-linux.so.2 exists. Overwritting itWarning: file .//etc/ld.so.cache exists. Overwritting itWarning: file .//usr/lib/locale/locale-archive exists. Overwritting itWarning: file .//usr/share/locale/locale.alias exists. Overwritting itWarning: can‘t create /proc/net/arp from the /proc filesystemDone.

Take the apacheserver software as an example:

#addjailsw /var/chroot/ -P /usr/local/httpd/bin/httpdaddjailswA component of Jail (version 1.9 for linux)http://www.jmcresearch.com/projects/jail/Juan M. Casillas <[email protected]>Guessing /usr/local/httpd/bin/httpd args(0)Warning: file /var/chroot//lib/libssl.so.4 exists. Overwritting itWarning: file /var/chroot//lib/libcrypto.so.4 exists. Overwritting itWarning: file /var/chroot//lib/libresolv.so.2 exists. Overwritting it……Done.

Don't care about the warning information, because jail will call LDD to check the library files used by httpd. Almost all the binary executable files based on the shared library need the above several library files.

Next, copy Apache related files to "prison:
# Cp-A/usr/local/httpd // var/chroot/usr/local/

You can copy the files required by Apache to "prison" in sequence based on your situation.

"Imprisoned" prisoner

Sometimes it is necessary to "prison" the chroot to create new users. For example, Apache requires the creation of nobody users as sub-process users. As other processes may use nobody, another user, httpd, can also be used. First, you must create an httpd user in the real system:
# Useradd-D/var/chroot-S/usr/local/bin/jail httpd

Run the following command to create an httpd user in chroot "prison:
#/Usr/local/bin/addjailuser/var/chroot/usr/local/httpd/usr/sbin/httpd

Next, change/var/chroot/usr/local/httpd/CONF/httpd. conf to replace user nobody with user httpd. Because after chroot, Apache will start the process as httpd. Only root has the right to bind Apache to a low port (usually 80). Therefore, you need to change the port value, the value must be greater than 1024 (if it is 8080 ). This change should be applied to all Apache configuration files, including the configuration of the virtual host. Other Apache settings are the same as those in the real file system.

Next, you need to copy some other files. The most common way to start Apache is to call apachectl, which is a bash script. View this file and you will find the following lines:

HTTPD=‘/usr/local/httpd/bin/httpd‘LYNX="lynx -dump"ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`"ARGV="-h"$HTTPD -k $ARGV$HTTPD -k start -DSSL$HTTPD -t$LYNX $STATUSURL | awk ‘ /process$/ { print; exit } { print } ‘

Among them, ulimit, lynx, and awk are auxiliary programs. In addition, different library files may be used when the program uses different volumes. Therefore, to make Apache complete execution, use the following command to track all possible files:
#/Usr/local/bin/addjailsw/var/chroot-P httpd "-K start-dssl"

Replace the number of workers in the quote with the number of workers mentioned above to complete all the work.

Finally, run jail Apache successfully:
# Su-HTTPd &

Open your browser and try again. Remember to add the 8080port number when you ask webserver.

Jail advanced applications

In the previous introduction, three Perl scripts in the jail software package were used. Here we will introduce the usage of these three scripts for advanced users.

Mkjailenv
Usage: mkjailenv chrootdir
Purpose: Create a chroot "prison" folder and copy the main software environment from the real file system.
Number of shards:
Chrootdir specifies the chroot "prison" path.

Addjailsw
Usage: addjailsw chrootdir [-D] [-P program ARGs]
Purpose: copy the specified file and related files from the real file system.
Number of shards:
Chrootdir specifies the chroot "prison" path.
-D: displays the specific information.
-P program ARGs specifies to join? Go to the software in "prison. Program can be a file name or a complete path to the file; ARGs can be the number of objects. For example, run addjailsw as follows:
# Addjailsw/var/chroot-P Vi "-C q"

Addjailuser
Usage: addjailuser chrootdir userdir usershell Username
Purpose: Create a New chroot "prison" user.
Number of shards:
Chrootdir specifies the chroot "prison" path.
Userdir? The user's main folder (relative to the chroot "prison" folder ).
Usershell specifies the complete path of the shell used by the new user (for example,/bin/bash ).
Username is new? User name.

For example:
# Addjailuser/var/chroot/home/FTP/bin/CSH FTP

This script automatically changes the/etc/passwd,/etc/group, and/etc/shadow files in "prison.

From the above, if only one Apache Software is executed in the "prison", mkjailenv seems to be too "enthusiastic". Therefore, mkjailenv/var/chroot cannot be executed, execute addjailsw/var/chroot-P httpd or delete unnecessary files after chroot "prison" debugging, and modify unnecessary user information in/etc/passwd. As a result, most popular Web sites today use Apache + PHP + MySQL + SSL (FTP, mail, Perl, and other components may also exist ), therefore, we can establish a comprehensive Web "prison ". The system administrator can set up a software environment for this "prison". Of course, this environment only contains the necessary tools for maintaining components such as Apache, PHP, MySQL, and SSL, such as using bash, ssh, compiling software, or uploading. This may be a huge project, but it makes sense. By taking the above method into consideration, we can try jail's perfect server. (

Chroot and jail