Reinforce your Tomcat so that Tomcat can run in the chroot environment

As we all know, chroot is a security mechanism for Linux systems under chroot. chroot is a Linux kernel system call. Through this mechanism, you can set the runtime environment of application software to run the application software in a specific directory, in this way, even if the application software has security vulnerabilities and intrusion, intruders are restricted to a specific directory, which restricts the scope of destruction of intruders. Security of the system is reinforced. This article takes Tomcat as an example to record the configuration process of running tomcat in the chroot mode, as well as the errors and troubleshooting methods in the configuration process.

Environment and tool: Environment

1. Configure the Java chroot environment

1. Configure JDK first, this configuration uses jdk-7u45-linux-x64.tar.gz

Tar zxvf jdk-7u45-linux-x64.tar.gz

Mkdir/usr/Java

CP-A jdk1.7.0 _ 45/usr/Java/

[[Email protected] local] #/usr/Java/jdk1.7.0 _ 45/bin/Java-version

Java version "1.7.0 _ 45"

Java (TM) se Runtime Environment (build 1.7.0 _ 45-b18)

Java hotspot (TM) 64-bit server VM (build 24.45-b08, mixed mode)

JDK can be started normally

2. Configure JDK chroot

I have selected/chroot as the Tomcat root directory.

# D =/chroot

# Mkdir-p $ d

# Cd $ d

Mkdir-P lib lib64 etc TMP Dev USR

Chmod 755 etc Dev USR

Chmod 1777 TMP

CP-A/etc/hosts ETC/hosts

To make the chroot environment closer to the actual system root directory, a special directory is also required. If these directories are not available, an error may be reported in the future.

Mkdir-P/chroot/dev/PTS

CD/dev

./Makedev-D/chroot/dev null Radom urandom zero loop * log Console

CP makedev/chroot/dev

CP-A/dev/SHM/chroot/dev

[[Email protected] local] # LDD/usr/Java/jdk1.7.0 _ 45/bin/Java

Linux-vdso.so.1 => (0x00007fffeafd0000)

Libpthread. so.0 =>/lib64/libpthread. so.0 (0x00007f3a58efd000)

Libjli. So =>/usr/Java/jdk1.7.0 _ 45/bin/../lib/amd64/jli/libjli. So (0x00007f3a58ce5000)

Libdl. so.2 =>/lib64/libdl. so.2 (0x00007f3a58ae1000)

Libc. so.6 =>/lib64/libc. so.6 (0x00007f3a5874e000)

/Lib64/ld-linux-x86-64.so.2 (0x00007f3a59123000)

Copy the above library files to the/chroot/lib64/directory.

[[Email protected] local] # ls/chroot/lib64/

Ld-linux-x86-64.so.2 libc. so.6 libdl. so.2 libpthread. so.0

[[Email protected] local] # rm-RF/chroot/usr/Java/

[[Email protected] local] # mkdir/chroot/usr/Java

[[Email protected] local] # cp-A/usr/Java/jdk1.7.0 _ 45/chroot/usr/Java/

[[Email protected] local] # ls/chroot/usr/Java/

Jdk1.7.0 _ 45

Run Java in chroot mode,

[[Email protected] local] # chroot/usr/Java/jdk1.7.0 _ 45/bin/Java

/Usr/Java/jdk1.7.0 _ 45/bin/Java: Error while loading shared libraries: libjli. So: cannot open shared object file: no such file or directory

If an error is reported, the corresponding library files may be missing. If you copy these files, it will be OK.

[[Email protected] local] # Find/-name libjli. So

/Usr/Java/jdk1.7.0 _ 45/JRE/lib/amd64/jli/libjli. So

/Usr/Java/jdk1.7.0 _ 45/lib/amd64/jli/libjli. So

/Usr/local/jdk1.7.0 _ 45/JRE/lib/amd64/jli/libjli. So

/Usr/local/jdk1.7.0 _ 45/lib/amd64/jli/libjli. So

/Chroot/usr/Java/jdk1.7.0 _ 45/JRE/lib/amd64/jli/libjli. So

/Chroot/usr/Java/jdk1.7.0 _ 45/lib/amd64/jli/libjli. So

[[Email protected] local] # cp/chroot/usr/Java/jdk1.7.0 _ 45/lib/amd64/jli/libjli. So/chroot/lib64/

[[Email protected] local] # chroot/usr/Java/jdk1.7.0 _ 45/bin/Java-version

Error: DL failure on line 863

Error: Failed/usr/Java/jdk1.7.0 _ 45/JRE/lib/amd64/Server/libjvm. So, because libm. so.6: cannot open shared object file: no such file or directory

[[Email protected] local] #

[[Email protected] local] #

[[Email protected] local] # Find/-name libm. so.6

/Lib64/libm. so.6

[[Email protected] local] # cp/lib64/libm. so.6/chroot/lib64/

[[Email protected] local] # chroot/usr/Java/jdk1.7.0 _ 45/bin/Java-version

Java hotspot (TM) 64-bit server VM warning: can't detect initial thread stack location-find_vma failed

Java version "1.7.0 _ 45"

Java (TM) se Runtime Environment (build 1.7.0 _ 45-b18)

Java hotspot (TM) 64-bit server VM (build 24.45-b08, mixed mode)

In this way, Java can be started normally, but there is still a warning message, because Jave cannot detect the relevant process, and the process information of the Linux system is stored in the/proc directory, for some reason, we need to mount this special directory under/chroot as follows:

[[Email protected] local] # mkdir/chroot/proc

[[Email protected] local] # Mount-T proc/chroot/proc

[[Email protected] local] # chroot/usr/Java/jdk1.7.0 _ 45/bin/Java-version

Java version "1.7.0 _ 45"

Java (TM) se Runtime Environment (build 1.7.0 _ 45-b18)

Java hotspot (TM) 64-bit server VM (build 24.45-b08, mixed mode)

So far, JDK completes the configuration. Now, let's take a look at how to use the following libraries to start JDK. Note that, the location and name of the library file may vary with different versions of the system, but generally, you can find the corresponding library file based on the relevant error information, and copy it to OK.

[[Email protected] local] # ls/chroot/lib64/

Ld-linux-x86-64.so.2 libc. so.6 libdl. so.2 libjli. So libm. so.6 libpthread. so.0

2. Start to configure Tomcat and run tomcat in the/chroot/usr/local directory.

[[Email protected] local] # mkdir/chroot/usr/local

[[Email protected] local] # mv apache-tomcat-6.0.41-src/chroot/usr/local/tomcat

[[Email protected] local] # chroot/usr/local/tomcat/bin/Catalina. Sh start

Chroot: Failed To Run Command '/usr/local/tomcat/bin/Catalina. Sh': Permission denied

[[Email protected] local] # ls/chroot/usr/local/tomcat/bin/Catalina. Sh-Al

-RW-r --. 1 Root 17717 May 19 18:51/chroot/usr/local/tomcat/bin/Catalina. Sh

[[Email protected] local] # chmod 755/chroot/usr/local

[[Email protected] local] # chmod 755/chroot/usr/local/tomcat/bin/*. Sh

[[Email protected] local] # chroot/usr/local/tomcat/bin/Catalina. Sh start

Chroot: Failed To Run Command '/usr/local/tomcat/bin/Catalina. Sh': no such file or directory

[[Email protected] local] # strace chroot/usr/local/tomcat/bin/Catalina. Sh start

Pay attention to the last part of information

Execve ("/usr/local/tomcat/bin/Catalina. sh ", ["/usr/local/tomcat/bin/Catalina. s "..., "Start"], [/* 25 vars */]) =-1 enoent (no such file or directory)

Open ("/usr/share/locale. Alias", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh_CN.UTF-8/lc_messages/coreutils.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh_cn.utf8/lc_messages/coreutils.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh_cn/lc_messages/coreutils.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/Zh. UTF-8/lc_messages/coreutils.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/Zh. utf8/lc_messages/coreutils.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh/lc_messages/coreutils.mo", o_rdonly) =-1 enoent (no such file or directory)

Write (2, "chroot:", 8 chroot:) = 8

Write (2, "failed to Run Command '/usr/loca "..., 57 failed to Run Command '/usr/local/tomcat/bin/Catalina. sh') = 57

Open ("/usr/share/locale/zh_CN.UTF-8/lc_messages/libc.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh_cn.utf8/lc_messages/libc.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh_cn/lc_messages/libc.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/Zh. UTF-8/lc_messages/libc.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/Zh. utf8/lc_messages/libc.mo", o_rdonly) =-1 enoent (no such file or directory)

Open ("/usr/share/locale/zh/lc_messages/libc.mo", o_rdonly) =-1 enoent (no such file or directory)

Write (2, ": no such file or directory", 27: no such file or directory) = 27

Write (2, "\ n", 1

) = 1

Close (1) = 0

Close (2) = 0

Exit_group (127) =?

Because Tomcat is started with a shell script, a bash shell environment is required in chroot.

[[Email protected] local] # cd/chroot/

[[Email protected] chroot] # mkdir-P Bin

[[Email protected] chroot] # cp/bin/bash bin/

[[Email protected] chroot] # ln-S/bin/bash bin/sh

[[Email protected] chroot] # cd lib64

[[Email protected] lib64] # pwd

/Chroot/lib64

[[Email protected] lib64] # LDD/bin/bash

Linux-vdso.so.1 => (0x00007fff2536e000)

Libtinfo. so.5 =>/lib64/libtinfo. so.5 (0x00007f0c47bb5000)

Libdl. so.2 =>/lib64/libdl. so.2 (0x00007f0c479b1000)

Libc. so.6 =>/lib64/libc. so.6 (0x00007f0c4761d000)

/Lib64/ld-linux-x86-64.so.2 (0x00007f0c47ddf000)

[[Email protected] lib64] # cp/lib64/libtinfo. so.5/chroot/lib64/

[[Email protected] lib64] # cp/lib64/libdl. so.2/chroot/lib64/

CP: overwrite "/chroot/lib64/libdl. so.2 "? N

[[Email protected] lib64] # cp/lib64/libc. so.6/chroot/lib64/

CP: overwrite "/chroot/lib64/libc. so.6 "? N

[[Email protected] lib64] # cp/lib64/ld-linux-x86-64.so.2/chroot/lib64/

CP: overwrite "/chroot/lib64/ld-linux-x86-64.so.2 "? N

Test whether Bash can run normally under chroot. Because some libraries have been copied before, a prompt is displayed to overwrite

[[Email protected] lib64] # chroot/bin/bash

Bash-4.1 # pwd

/

Note that the bash shell prompt has changed. This indicates that Bash can be started normally under chroot.

Bash-4.1 # ls

Bash: ls: Command not found

Bash-4.1 # exit

Exit

[[Email protected] lib64] #

When Tomcat is started again, the error content is different. The error content is very detailed, that is, several commands cannot be found, so we can copy these commands and the corresponding Library to the corresponding directory of chroot.

[[Email protected] lib64] # chroot/usr/local/tomcat/bin/Catalina. Sh start

/Usr/local/tomcat/bin/Catalina. sh: Line 89: uname: Command not found

/Usr/local/tomcat/bin/Catalina. sh: line 109: dirname: Command not found

Cannot find // bin/setclasspath. Sh

This file is needed to run this program

[[Email protected] lib64] #

[[Email protected] lib64] # cp/bin/uname/chroot/bin/

[[Email protected] lib64] # mkdir-/chroot/usr/bin

[[Email protected] lib64] # cp/usr/bin/dirname/chroot/usr/bin/

[[Email protected] lib64] # LDD/bin/uname

Linux-vdso.so.1 => (0x00007fff4b5ff000)

Libc. so.6 =>/lib64/libc. so.6 (0x00007fcfde5b8000)

/Lib64/ld-linux-x86-64.so.2 (0x00007fcfde954000)

[[Email protected] lib64] # LDD/usr/bin/dirname

Linux-vdso.so.1 => (0x00007fffb93ea000)

Libc. so.6 =>/lib64/libc. so.6 (0x00007f8ad0266000)

/Lib64/ld-linux-x86-64.so.2 (0x00007f8ad0602000)

[[Email protected] lib64] # ls/chroot/lib64

-Ld-linux-x86-64.so.2 libc. so.6 libdl. so.2 libjli. So libm. so.6 libpthread. so.0 libtinfo. so.5

The relevant database has been copied before, so you do not need to copy it here and run comcat again

[[Email protected] lib64] # chroot/usr/local/tomcat/bin/Catalina. Sh start

Neither the java_home nor the jre_home environment variable is defined

At least one of these environment variable is needed to run this program

[[Email protected] lib64] #

This error is caused by the environment variable. Add the variable to the limit. Let's take a look at Catalina. sh file, which calls setclasspath. the error is displayed in setclasspath. sh script. Therefore, I set the java_home variable in setclasspath. Sh.

[[Email protected] bin] # vi/chroot/usr/local/tomcat/bin/setclasspath. Sh

# Make sure prerequisite environment variables are set

Export java_home =/usr/Java/jdk1.7.0 _ 45

Export jre_home =/usr/Java/jdk1.7.0 _ 45/JRE

If [-z "$ java_home"-a-z "$ jre_home"]; then

If $ Darwin; then

# Bugzilla 54390

If [-X '/usr/libexec/java_home']; then

Export java_home = '/usr/libexec/java_home'

# Bugzilla 37284 (reviewed ).

Elif [-d "/system/library/frameworks/JavaVM. Framework/versions/currentjdk/home"]; then

Export java_home = "/system/library/frameworks/JavaVM. Framework/versions/currentjdk/home"

Fi

Else

Java_path = 'which Java 2>/dev/null'

If ["x $ java_path "! = "X"]; then

Java_path = 'dirname $ java_path 2>/dev/null'

Jre_home = 'dirname $ java_path 2>/dev/null'

Fi

If ["x $ jre_home" = "X"]; then

# XXX: should we try other locations?

If [-x/usr/bin/Java]; then

Jre_home =/usr

Fi

Fi

Fi

If [-z "$ java_home"-a-z "$ jre_home"]; then

Echo "neither the java_home nor the jre_home environment variable is defined"

Echo "at least one of these environment variable is needed to run this program"

Exit 1

Fi

Fi

"Setclasspath. Sh" 119l, 1_2c written

Re-running, still error, but close to success,

[[Email protected] bin] # chroot/usr/local/tomcat/bin/Catalina. Sh start

/Usr/local/tomcat/bin/Catalina. sh: Line 193: TTY: Command not found

Using catalina_base:/usr/local/tomcat

Using catalina_home:/usr/local/tomcat

Using catalina_tmpdir:/usr/local/tomcat/temp

Using jre_home:/usr/Java/jdk1.7.0 _ 45/JRE

Using classpath:/usr/local/tomcat/bin/Bootstrap. Jar

/Usr/local/tomcat/bin/Catalina. sh: Line 354: Touch: Command not found

/Usr/local/tomcat/bin/Catalina. sh: Line 371:/usr/local/tomcat/logs/Catalina. Out: no such file or directory

The error was reported by calling related system commands and referencing file permissions.

[[Email protected] bin] # cp/bin/touch/chroot/bin/

[[Email protected] bin] # LDD/bin/touch

Linux-vdso.so.1 => (0x00007fff9343f000)

Librt. so.1 =>/lib64/librt. so.1 (0x00007fbd55ccc000)

Libc. so.6 =>/lib64/libc. so.6 (0x00007fbd55939000)

Libpthread. so.0 =>/lib64/libpthread. so.0 (0x00007fbd5571b000)

/Lib64/ld-linux-x86-64.so.2 (0x00007fbd55edd000)

[[Email protected] bin] # cp/lib64/librt. so.1/chroot/lib64/

[[Email protected] bin] # mkdir/chroot/usr/local/tomcat/logs

[[Email protected] bin] # chmod 666/chroot/usr/local/tomcat/logs

[[Email protected] bin] #

[[Email protected] bin] # chroot/usr/local/tomcat/bin/Catalina. Sh start

/Usr/local/tomcat/bin/Catalina. sh: Line 193: TTY: Command not found

Using catalina_base:/usr/local/tomcat

Using catalina_home:/usr/local/tomcat

Using catalina_tmpdir:/usr/local/tomcat/temp

Using jre_home:/usr/Java/jdk1.7.0 _ 45/JRE

Using classpath:/usr/local/tomcat/bin/Bootstrap. Jar

Copy the TTY program.

[[Email protected] bin] # cp/usr/bin/tty/chroot/usr/bin/

[[Email protected] bin] # LDD/usr/bin/tty

Linux-vdso.so.1 => (0x00007fff1f5ff000)

Libc. so.6 =>/lib64/libc. so.6 (0x00007f82f2cd9000)

/Lib64/ld-linux-x86-64.so.2 (0x00007f82f3075000)

[[Email protected] bin] # chroot/usr/local/tomcat/bin/Catalina. Sh start

Using catalina_base:/usr/local/tomcat

Using catalina_home:/usr/local/tomcat

Using catalina_tmpdir:/usr/local/tomcat/temp

Using jre_home:/usr/Java/jdk1.7.0 _ 45/JRE

Using classpath:/usr/local/tomcat/bin/Bootstrap. Jar

Finally, no error is reported. Why? What's going on? The Java Process still cannot start.

[[Email protected] bin] # ps auxf | grep Java

Root 1449 0.0 0.0 103240 852 pts/1 S + \ _ grep Java

View Tomcat logs

[[Email protected] local] # More/chroot/usr/local/tomcat/logs/Catalina. Out

Error: cocould not find or load main class org. Apache. Catalina. startup. Bootstrap

[[Email protected] local] # ls/chroot/usr/local/tomcat/bin/Bootstrap. Jar

Ls: cannot access/chroot/usr/local/tomcat/bin/Bootstrap. jar: no such file or directory

It turns out that this package lacks a file.

Download a complete package from the official website and decompress it.

# Wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-6/v6.0.41/bin/apache-tomcat-6.0.41.tar.gz

[[Email protected] local] # cd/chroot/usr/local/

[[Email protected] local] # ls

Tomcat

[[Email protected] local] # mv tomcat. Bak

[[Email protected] local] # mv/usr/local/Apache-Tomcat-6.0.41./tomcat

Add the environment variable in/chroot/usr/local/tomcat/bin/setclasspath. Sh.

[[Email protected] bin] # vi/chroot/usr/local/tomcat/bin/setclasspath. Sh

# Make sure prerequisite environment variables are set

Export java_home =/usr/Java/jdk1.7.0 _ 45

Export jre_home =/usr/Java/jdk1.7.0 _ 45/JRE

Run again

[[Email protected] local] # chroot/usr/local/tomcat/bin/Catalina. Sh start

Using catalina_base:/usr/local/tomcat

Using catalina_home:/usr/local/tomcat

Using catalina_tmpdir:/usr/local/tomcat/temp

Using jre_home:/usr/Java/jdk1.7.0 _ 45/JRE

Using classpath:/usr/local/tomcat/bin/Bootstrap. Jar

[[Email protected] local] # ps auxf | grep Java

Root 8220 0.0 0.0 103240 852 pts/0 S + \ _ grep Java

Root 8201 179 6.7 1443396 68980 pts/0 SL 05/usr/Java/jdk1.7.0 _ 45/JRE/bin/Java-djava. util. logging. config. file =/usr/local/tomcat/CONF/logging. properties-djava. util. logging. manager = org. apache. juli. classloaderlogmanager-djava. endorsed. dirs =/usr/local/tomcat/endorsed-classpath/usr/local/tomcat/bin/Bootstrap. jar-dcatalina. base =/usr/local/tomcat-dcatalina. home =/usr/local/tomcat-djava. io. tmpdir =/usr/local/tomcat/temp Org. apache. catalina. startup. bootstrap start

Finally succeeded! Open Port tcp8080 of iptables and you can access it through http: // ip: 8080.

This article is from the "Think-not on" blog. For more information, contact the author!

Reinforce your Tomcat so that Tomcat can run in the chroot environment