Use the chroot mechanism to secure servers

The so-called "prison" refers to modifying the root directory that a process can see through the chroot mechanism, that is, limiting a process to a specified directory, ensure that the process can only act on the files in the directory and Its subdirectories, so as to ensure the security of the entire server.

Create chroot "prison"

Previously, daemon on Unix/Linux was started with the root permission. At that time, this seemed to be a matter of course, because server software such as Apache needs to be bound to a "well-known" port (less than 1024) to listen for HTTP requests, root is the only user with such permissions.

However, with the increasing frequency of attackers, especially the surge in the number of buffer overflow vulnerabilities, server security is under greater threat. Once a network service has a vulnerability, attackers can access and control the entire system. Therefore, in order to mitigate the negative impact of such attacks, the current server software is usually designed to start with the root permission, and then the server process gives up the root, then run the process with a low-privilege system account. The advantage of this method is that once the service is exploited by attackers to intrude into the service, the attacker's access permission is based on this low permission because of the low process permission, the harm to the system is much lower than before.

Some attackers will try to find other system vulnerabilities to escalate permissions until they reach the root level. Because local security is much lower than remote security protection, attackers may find something in the system that can improve their permissions. Even if a local vulnerability is not found, attackers may cause other damages, such as deleting files and modifying the home page.

To further improve system security, the Linux kernel introduces the chroot mechanism. Chroot is a system call in the kernel. The software can call the database function chroot to change the root directory that a process can see. For example, if the Apache software is installed in the/usr/local/httpd/directory and started as a root user (or another account with the same permissions, the parent process with this root permission will derive several sub-processes running with the nobody permission, depending on personal settings. The parent process listens to the TCP data stream from port 80, and then assigns the request to a sub-process for processing according to the internal algorithm. The Directory of the Apache sub-process is inherited from the parent process, that is,/usr/local/httpd /.

However, once the directory permission settings are incorrect, the attacked Apache sub-process can access/usr/local,/usr,/tmp, or even the entire file system, because the root directory of the Apache process is still the root of the entire file system. If you can use chroot to restrict Apache to/usr/local/httpd, all files that Apache can access are files under/usr/local/httpd/or their subdirectories. The function of creating a chroot "daemon" is to restrict the process permission to a subtree in the file system directory tree.

Why jail?

One problem with chroot software is that all programs, configuration files, and library files required for running the software must be installed in the chroot directory in advance, this directory is usually called chroot jail (chroot ""). If you want to run/sbin/httpd in "prison", you can't see the real/sbin directory in the file system. Therefore, you need to create the/sbin directory in advance and copy httpd to it. At the same time, httpd needs several library files. Execute the following command to view these library files (run in a real file system ).

# LDD/sbin/httpd
Libaprutil-0.so.0 =>/usr/local/httpd/lib/libaprutil-0.so.0 (0x40017000)
Libgdbm. so.2 =>/usr/lib/libgdbm. so.2 (0x4003c000)
Libdb-4.0.so =>/lib/libdb-4.0.so (0x40043000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x400eb000)
Libexpat. so.0 =>/usr/lib/libexpat. so.0 (0x400f8000)
Libapr-0.so.0 =>/usr/local/httpd/lib/libapr-0.so.0 (0x40118000)
Librt. so.1 =>/lib/librt. so.1 (0x40139000)
Libm. so.6 =>/lib/tls/libm. so.6 (0x4014b000)
Libcrypt. so.1 =>/lib/libcrypt. so.1 (0x4016d000)
Libnsl. so.1 =>/lib/libnsl. so.1 (0x4019a000)
Libdl. so.2 =>/lib/libdl. so.2 (0x401af000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x42000000)
/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000)

 

This means you also need to create the lib directory in "prison" and copy the library files to it. This work can be done by a computer, and jail and other software packages can be used to simplify the chroot "prison" establishment process.

Compile and install jail

Developed by the mongochroot project team. This package contains C Programs, Perl programs, and bash scripts that help automatically create chroot "prison.

First place jail.tar.gz in any directory, and then execute the command:
# Tar xzvf jail.tar.gz & CD jail/src

Modify the makefile according to your actual situation, especially the installation path (default installation path is/usr/local) and Architecture (jail supports Linux, FreeBSD, Irix, and Solaris ), and compilation options. Finally, run the following command:
# Make & make install

Create chroot "prison" for jail"

Create a directory as chroot "prison". Take/var/chroot/as an example. Run the following command to create the environment for chroot "prison:
#/Usr/local/bin/mkjailenv/var/chroot

In this way, "prison" is built. The jail package provides several Perl scripts as its core commands, including mkjailenv, addjailuser, and addjailsw. For example, addjailsw copies binary executable files and other related files (including library files, auxiliary files, and Device Files) from the real file system to the "prison.

Add software for jail "prison"

Next we need to add some software for this "prison" to make it run. Run the following command to install some basic software, including library files such as LS, Cat, CP, and ld-linux.so.2.
#/Usr/local/bin/addjailsw/var/chroot

In fact, only these basic software is not enough, and some really useful things need to be limited. The following example shows how to add an ARP program for "prison:

#/Usr/local/bin/addjailsw/var/chroot-P ARP

Addjailsw
A component of jail (version 1.9 for Linux)
Http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <juanm.casillas@jmcresearch.com>

Guessing ARP ARGs (0)
Warning: file. // lib/tls/libc. so.6 exists. overwritting it
Warning: file. // lib/ld-linux.so.2 exists. overwritting it
Warning: file. // etc/lD. So. cache exists. overwritting it
Warning: file. // usr/lib/locale-archive exists. overwritting it
Warning: file. // usr/share/locale. Alias exists. overwritting it
Warning: can't create/proc/NET/arp from the/proc filesystem

Done.

 

Take the Apache server software as an example:

# Addjailsw/var/chroot/-P/usr/local/httpd/bin/httpd

Addjailsw
A component of jail (version 1.9 for Linux)
Http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <juanm.casillas@jmcresearch.com>

Guessing/usr/local/httpd/bin/httpd ARGs (0)
Warning: file/var/chroot // lib/libssl. so.4 exists. overwritting it
Warning: file/var/chroot // lib/libcrypto. so.4 exists. overwritting it
Warning: file/var/chroot // lib/libresolv. so.2 exists. overwritting it
......

Done.

 

Do not care about the warning information, because jail will call LDD to check the library files used by httpd. Almost all binary executable files based on the shared library need the above library files.

Next, copy Apache related files to "prison:
# Cp-A/usr/local/httpd // var/chroot/usr/local/

You can copy the files required by Apache to "prison" in sequence based on your actual situation.

"Imprisoned" prisoner

Sometimes a new user needs to be created for chroot "prison". For example, Apache requires the creation of a nobody user as the sub-process user. Since other processes may use nobody, another user-HTTPd can also be used. First, you must create an httpd user in the real system:
# Useradd-D/var/chroot-S/usr/local/bin/jail httpd

Run the following command to create an httpd user in chroot ":
#/Usr/local/bin/addjailuser/var/chroot/usr/local/httpd/usr/sbin/httpd

Next, modify/var/chroot/usr/local/httpd/CONF/httpd. conf and replace user nobody with user httpd. After chroot, Apache will start the process as httpd. Only root has the right to bind Apache to a low port (usually 80). Therefore, you need to modify the port value, the value must be greater than 1024 (assuming 8080 ). This modification should be applied to all configuration files of Apache, including the configuration of virtual hosts. Other Apache settings are the same as those in the real file system.

Next we need to copy some other files. The most common way to start Apache is to call apachectl, which is a bash script. View the file and you will find the following lines:

Httpd = '/usr/local/httpd/bin/httpd'
Lynx = "Lynx-dump"
Ulimit_max_files = "ulimit-S-N 'ulimit-H-N '"
Argv = "-h"
$ Httpd-K $ argv
$ Httpd-K start-dssl
$ Httpd-T
$ Lynx $ statusurl | awk '/process $/{print; exit} {print }'

 

Ulimit, lynx, and awk are auxiliary programs. In addition, different library files may be used when different parameters are used by the program. To make Apache run completely, use the following command to track all possible files:
#/Usr/local/bin/addjailsw/var/chroot-P httpd "-K start-dssl"

Replace the parameters in quotation marks with the preceding parameters to complete all the work.

Finally, run jail Apache:
# Su-HTTPd &

Open your browser and test the Web server. Remember to add the 8080 port when accessing the web server.

Jail advanced applications

In the previous introduction, three Perl scripts in the jail software package were used. The usage of these three scripts is described in detail for advanced users.

Mkjailenv
Usage: mkjailenv chrootdir
Purpose: Create a chroot "prison" directory and copy the basic software environment from the real file system.
Parameters:
Chrootdir specifies the chroot "prison" path.

Addjailsw
Usage: addjailsw chrootdir [-D] [-P program ARGs]
Purpose: copy the specified file and related files from the real file system.
Parameters:
Chrootdir specifies the chroot "prison" path.
-D: displays details.
-P program ARGs specifies the software to be added to "prison. Program can be a file name or a complete path of the file; ARGs is a parameter. For example, execute addjailsw as follows:
# Addjailsw/var/chroot-P Vi "-C q"

Addjailuser
Usage: addjailuser chrootdir userdir usershell Username
Purpose: Create a New chroot "prison" user.
Parameters:
Chrootdir specifies the chroot "prison" path.
Userdir specifies the Home Directory of the newly added user (relative to the chroot "" directory ).
Usershell specifies the full path of the shell used by the new user (such as/bin/bash ).
Username is the new user name.

For example:
# Addjailuser/var/chroot/home/FTP/bin/CSH FTP

This script automatically modifies the/etc/passwd,/etc/group, and/etc/shadow files in "prison.

From the above, if only one Apache Software runs in "prison", mkjailenv seems too "enthusiastic", so you can not run mkjailenv/var/chroot, run addjailsw/var/chroot-P httpd only, delete unnecessary files after chroot "prison" debugging, and modify unnecessary user information in/etc/passwd. As a result, most popular Web sites now use Apache + PHP + MySQL + SSL (FTP, mail, Perl, and other components may also exist ), therefore, a comprehensive Web "prison" can be established ". The system administrator can set up a software environment for this "prison". Of course, this environment only includes necessary tools for maintaining components such as Apache, PHP, MySQL, and SSL, such as using bash, ssh, compiling software, or uploading. This may be a huge project, but it is very meaningful. Refer to the above method to try out jail's perfect server.