Use the Chroot mechanism to secure servers

Source: Internet
Author: User

Source: emotional network

The so-called "prison" refers to modifying the root directory that a process can see through the chroot mechanism, that is, limiting a process to a specified directory, ensure that the process can only act on the files in the directory and Its subdirectories, so as to ensure the security of the entire server.

Create a chroot "prison"

Previously, daemon on Unix/Linux was started with the root permission. At that time, this seems to be a matter of course, because server software such as Apache needs to be bound to a "well-known" port (less than 1024) to listen for HTTP requests, root is the only user with such permissions.

However, with the increasing frequency of attackers, especially the surge in the number of buffer overflow vulnerabilities, server security is under greater threat. Once a network service has a vulnerability, attackers can access and control the entire system. Therefore, in order to mitigate the negative impact of such attacks, the current server software is usually designed to start with the root permission, and then the server process gives up the root, then run the process with a low-privilege system account. The advantage of this method is that once the service is exploited by attackers to intrude into the service, the attacker's access permission is based on this low permission because of the low process permission, the harm to the system is much lower than before.

Some attackers will try to find other system vulnerabilities to escalate permissions until they reach the root level. Because local security is much lower than remote security protection, attackers may find something in the system that can improve their permissions. Even if a local vulnerability is not found, attackers may cause other damages, such as deleting files and modifying the home page.

To further improve system security, the Linux kernel introduces the chroot mechanism. Chroot is a system call in the kernel. The software can call the database function chroot to change the root directory that a process can see. For example, if the Apache software is installed in the/usr/local/httpd/directory and started as a root user (or another account with the same permissions, the parent process with this root permission will derive several sub-processes running with the nobody permission, depending on personal settings. The parent process listens to the tcp data stream from port 80, and then assigns the request to a sub-process for processing according to the internal algorithm. The Directory of the Apache sub-process is inherited from the parent process, that is,/usr/local/httpd /.

However, once the directory permission settings are incorrect, the attacked Apache sub-process can access/usr/local,/usr,/tmp, or even the entire file system, because the root directory of the Apache process is still the root of the entire file system. If you can use chroot to restrict Apache to/usr/local/httpd, all files that Apache can access are files under/usr/local/httpd/or their subdirectories. The function of creating a chroot "prison" is to restrict the process permission to a subtree in the file system directory tree.

Why jail?

One problem with chroot software is that all programs, configuration files, and library files required for running the software must be installed in the chroot directory in advance, this directory is usually called chroot jail (chroot "prison "). If you want to run/sbin/httpd in "prison", but in fact there is no real/sbin directory in the file system. Therefore, you need to create the/sbin directory in advance and copy httpd to it. At the same time, httpd needs several library files. Execute the following command to view these library files (run in a real file system ).

_ CODE> # ldd/sbin/httpd
Libaprutil-0.so.0 =>/usr/local/httpd/lib/libaprutil-0.so.0 (0x40017000)
Libgdbm. so.2 =>/usr/lib/libgdbm. so.2 (0x4003c000)
Libdb-4.0.so =>/lib/libdb-4.0.so (0x40043000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x400eb000)
Libexpat. so.0 =>/usr/lib/libexpat. so.0 (0x400f8000)
Libapr-0.so.0 =>/usr/local/httpd/lib/libapr-0.so.0 (0x40118000)
Librt. so.1 =>/lib/librt. so.1 (0x40139000)
LIBM. so.6 =>/lib/tls/lIBM. so.6 (0x4014b000)
Libcrypt. so.1 =>/lib/libcrypt. so.1 (0x4016d000)
Libnsl. so.1 =>/lib/libnsl. so.1 (0x4019a000)
Libdl. so.2 =>/lib/libdl. so.2 (0x401af000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x42000000)
/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000) _ CODE>
 


This means you also need to create the lib directory in "prison" and copy the library files to it. This work can be done by a computer, and jail and other software packages can be used to simplify the chroot "prison" establishment process.

Compile and install jail

Developed by the mongochroot project team. This package contains C Programs, Perl programs, and Bash scripts that help automatically create chroot "prison.

First place jail.tar.gz in any directory, and then execute the command:
# Tar xzvf jail.tar.gz & cd jail/src

Modify the makefile according to your actual situation, especially the installation path (default installation path is/usr/local) and Architecture (jail supports Linux, FreeBSD, IRIX, and Solaris ), and compilation options. Finally, run the following command:
# Make & make install

Create a chroot "prison" for jail"

Now, create a directory to "prison" as the chroot. Take/var/chroot/as an example. Run the following command to create an environment for chroot "prison:
#/Usr/local/bin/mkjailenv/var/chroot

In this way, "prison" is built. The jail package provides several Perl scripts as its core commands, including mkjailenv, addjailuser, and addjailsw. For example, addjailsw copies binary executable files and other related files (including library files, auxiliary files, and Device Files) from the real file system to the "prison.

Add software for jail "prison"

Next we need to add some software for this "prison" to make it run. Run the following command to install some basic software, including library files such as ls, cat, cp, and ld-linux.so.2.
#/Usr/local/bin/addjailsw/var/chroot

In fact, only these basic software is not enough, and some really useful things need to be limited. The following example shows how to add an arp program for "prison:

_ CODE> #/usr/local/bin/addjailsw/var/chroot-P arp

Addjailsw
A component of Jail (version 1.9 for linux)
Http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <juanm.casillas@jmcresearch.com>

Guessing arp args (0)
Warning: file. // lib/tls/libc. so.6 exists. Overwritting it
Warning: file. // lib/ld-linux.so.2 exists. Overwritting it
Warning: file. // etc/ld. so. cache exists. Overwritting it
Warning: file. // usr/lib/locale-archive exists. Overwritting it
Warning: file. // usr/share/locale. alias exists. Overwritting it
Warning: cant create/proc/net/arp from the/proc filesystem

Done. _ CODE>
 


Take the Apache server software as an example:

_ CODE> # addjailsw/var/chroot/-P/usr/local/httpd/bin/httpd

Addjailsw
A component of Jail (version 1.9 for linux)
Http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <juanm.casillas@jmcresearch.com>

Guessing/usr/local/httpd/bin/httpd args (0)
Warning: file/var/chroot // lib/libssl. so.4 exists. Overwritting it
Warning: file/var/chroot // lib/libcrypto. so.4 exists. Overwritting it
Warning: file/var/chroot // lib/libresolv. so.2 exists. Overwritting it
......

Done. _ CODE>
 


Do not care about the warning information, because jail will call ldd to check the library files used by httpd. Almost all binary executable files based on the shared library need the above library files.

Next, copy Apache related files to "prison:
# Cp-a/usr/local/httpd // var/chroot/usr/local/

You can copy the files required by Apache to "prison" in sequence based on your individual needs.

"Imprisoned" prisoner

Sometimes a new user needs to be created for chroot, for example, Apache requires the creation of a nobody user as a sub-process user. Since other processes may use nobody, another user-httpd can also be used. First, you must create an httpd user in the real system:
# Useradd-d/var/chroot-s/usr/local/bin/jail httpd

Run the following command to create an httpd user in chroot "prison:
#/Usr/local/bin/addjailuser/var/chroot/usr/local/httpd/usr/sbin/httpd

Next, modify/var/chroot/usr/local/httpd/conf/httpd. conf and replace User nobody with User httpd. After chroot, Apache will start the process as httpd. Only root has the right to bind Apache to a low port (usually 80). Therefore, you need to modify the port value, the value must be greater than 1024 (assuming 8080 ). This modification should be applied to all configuration files of Apache, including the configuration of virtual hosts. Other Apache settings are the same as those in the real file system.

Next

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.