Debian :: Jail A Process Without Rootaccess?
Aug 17, 2011
This is my first post, so bear over with me. I have a user that runs a process that controls servers. Every server has its own directory. The "server" is a .jar. The server gets started with a .sh script. I want the server to be jailed to it's folder, however it aint possible to run chroot because its not a superuser. What can I do? I've found out that jk_uchroot should do so I can run chroot as another user, however I cant get it to work properly and I cant find any good howto's or better documentation about it.
View 2 Replies
ADVERTISEMENT
Mar 27, 2010
chroot in two mini distros (Tiny Core and SliTaz): chroot jail appears 'blind'. Chroot can't find any files in the jail and exit with error code. Example (ugly):
Code:
# mkdir /mnt/test
# mkdir /mnt/test/bin
# mkdir /mnt/test/dev
# mkdir /mnt/test/proc
# mkdir /mnt/test/lib
# mount /dev/hdb1 /mnt/test
# mount -t proc none /mnt/test/proc
[Code]...
chroot: cannot execute /bin/bash: No such file or directory Where is the problem?
View 4 Replies
View Related
May 31, 2010
I am trying to find out, if an application is chrooted jail or not. I have tried to do as suggested here, but something is wrong I believe. [URL]
pidof apache2
24714 24404 24366 24365 24364 24363 24362 4923
ls -ld /proc/24714/root
lrwxrwxrwx 1 root root 0 May 31 19:05 /proc/24714/root -> /
So far so good. Now we try with postfix, ups, nothing to show ? pidof postfix Lets try with the postfix master process instead. pidof master 2623
ls -ld /proc/2623/root
lrwxrwxrwx 1 root root 0 May 31 19:07 /proc/2623/root -> /
It shows it as not being chrooted jail, which I do not understand, since I KNOW that postfix runs chrooted jail.
View 3 Replies
View Related
Apr 16, 2010
I would like to create a logon script, for specific user, under ssh connection, to backup several directories in a USB device; this backup will run when the device was plugged in and the user logs in server. My knowledge of linux isn't very deeply now, and some questions are in my head. I would like to make this in a chroot jail, and the user log in through ssh connection doesn't have to make nothing, the logon script will mount the USB device and make the backup (using rsync or whatever), and exit the ssh connection when it finish.
But the questions are:
- is possible to a user in a chroot jail mount a USB device?
- from this jail, the directories outside of the jail could be available or need to be bind or something for this task?
- it will be better to "jail" all the directories to backup, inside de chroot path (almost would be samba sharing for Windows clients)?
View 1 Replies
View Related
Feb 24, 2010
I couldn't see any users in the "Users and Groups" menu, not even my own account. Then I tried to create a new (unprivileged) user, but it didn't show up niether. Then I quit the "Users and Groups" menu, and tried to open it again. This time, I could see a user, but only the root user. Then I quit again. Later I tried to gain root-access doing some other stuff, but all of a sudden, system told me, that I wasn't in the sudoers file anymore! Then I rebooted the whole system, and got stuck with this messeage:
Code:
mountall: mount /dev/pts [397] terminated with status 32
mountall: Filesystem could not be mounted: /dev/pts
fsck from util-linux-ng 2.16
[Code].....
All happened using the graphical interface in Ubuntu. I haven't been messing around with the terminal or the rootaccount or anything like that - just tried to add a new user to the system using the graphical inteface, and now I can't even access my system.
View 9 Replies
View Related
Jan 19, 2010
what is chroot jail?
View 1 Replies
View Related
May 10, 2010
how to prepare (before issuing the chroot command) directory links out of a chroot environment. I have done a bunch of reading, but not yet experimenting, about chroot. I mostly understand its main purpose of creating an environment in which it is safer to run untrusted software. But I want to use it for some other things, involving trusted software.
I want to create a directory tree in which the various top level directories are links to various directories in the main directory tree. For example, when running on a Debian based 64 bit system (where /lib has 64 bit .so files) I might want to create a root in which /lib links to the directory containing 32 bit .so files (same as /lib32 normally links to).
IIUC, chroot blocks soft links from getting outside. So I could create a directory containing lib as the desired soft link, but if I did chroot to that directory, the link would no longer point where I wanted. Is that correct? IIUC, I can't do a hard link to a directory. Is that correct? How would you create a directory link that would point out of a chroot "jail"? (Yes I do understand that is contrary to the common purpose for a chroot).
From reading, again not yet experimenting, I think mounting an aufs might do it. It looks like aufs might be used to mount a directory into another directory. Is that correct? Am I missing some easier way to mount a directory into a directory? Would such an aufs mount link out of the chroot? Or suffer the same fate as a soft link?
View 3 Replies
View Related
Oct 6, 2010
On a 64 bit CentOS host I am using script make_chroot_jail.sh to put a user in a jail, not permitting it to see anything expect it's home at /home/jail/home/user1.
I did it typing this:
After, when trying to connect to user1 first i was getting an error like:
I have fixed this by copying some missed libraries:
But now, when trying to connect to user1 typing su user1 and then typing it's password, i am getting this error: could not open session
So the question is how to connect to user1 in this situation?
Here are the permissions of some files, this might be helpful in order to provide a solution:
After some modifications i managed to connect to user1, but the session closes immediately! I guess this a PAM issue, however cant find a way to fix it.
Here the log entry for close action from /val/log/secure:
What makes the session to exit immediately after launching?
View 1 Replies
View Related
Jul 16, 2010
im looking for info on chroot jail and if you can break out of it. does anyone know where to find info?
View 1 Replies
View Related
Apr 20, 2010
I would like to create a logon script, for specific user, under ssh connection, to backup several directories in a USB device; this backup will run when the device was plugged in and the user logs in server. My knowledge of linux isn't very deeply now, and some questions are in my head. I would like to make this in a chroot jail, and the user log in through ssh connection doesn't have to make nothing, the logon script will mount the USB device and make the backup (using rsync or whatever), and exit the ssh connection when it finish.
Anyway the questions are:
- is possible that a user in a chroot jail mount a USB device?
- from this jail, the directories outside of the jail could be available or need to be bind or something for this task?
- it will be better to "jail" all the directories to backup, inside de chroot path (almost would be samba sharing for Windows clients)?
View 2 Replies
View Related
Nov 21, 2010
I want to have an account (beta user), on which:I can use the Internet and other programs without administrative rights without the right to install programs with a kind of sandbox for everything that is connected to the Internet, which means: everything that is associated with the web browser's processes and files that I save to hard disk I want to be separated from the rest of the system, so that whatever can catch up on this account will be locked in it, for example any (if at all) possible malicious scripts from Internet or whatever may be dangerous now or invented in the future. Sometimes, for example, I save the web page to disk with all it content.
And in case someone cracked into this account I want make it in that way that he could not do any tricks to read or change passwords, or make any other changes to the system. The best would be if a password for that user might serve only to log in without having any other powers, and I would give that user an automatic login. For now I created a beta user without administrative rights. I understand that the limiting rights of the user are associated with limiting rights to their home directory. There are also groups, and a user may be included or excluded. I excluded that user from admin group but I don't know what else I can limit and how. When I give chmod 0644 for /home of this user he cannot run Firefox. When I give him 0740 he can run applications, so I assume the x attribute must be preserved.
This is a user without sudo rights, so when I type sudo apt-get update a message shows up correctly that this user doesn't belong to the sudoers group. But still it's not what I wanted. When the user runs Gufw and wants to change the settings to disable the firewall, a message shows up asking to type in a password of alpha user = primary user, which is that belonging to the sudoers group, the first / main user that I created during system installation. I wish that there was only the message that the beta user has no power to change anything, which means even completely remove the possibility of asking for sudo.
In addition, I wish that this beta couldn't be able to change the permissions to its home directory, or go to see what is above. Because so far beta can change the file permissions for its /home, even without a sudo password. How can I do it? Do I need to create a kind of chroot jail for this user? I would like any changes to that user account could be made only after the user log off from beta account, and log in on alfa account and that beta could run only programs that ware installed by alpha. And that beta could read and write, but alfa could also read and write or remove, alter files on beta account. Basically, alfa account should be superior to beta account. Can do that?
View 9 Replies
View Related
Dec 3, 2010
Does anyone know how to modify permission on jail user. current jail user added to its /home/jail/*
How can I assign jail user(s) enough permission to access /opt, /var, or any other directories other than /home/jail/* ?
View 9 Replies
View Related
May 4, 2011
I want to make a sandbox for my music streaming server(subsonic). I was going to make a directory and chroot to it. I don't really have any room on my HD for new partitions. For the sandbox/chroot jail to be proper does it need to be on a seperate filesystem/mount point?
View 1 Replies
View Related
Mar 22, 2011
I have configured the SFTP Jail for some of the users in my sftp server and which is hosted for my clients.i have one small issues and i need the help from experts. e /../jajil/etc/shadow file. can you please help me how to update the password in /../jail/etc/shadow file instead of updating in /etc/shadow file.
View 3 Replies
View Related
Sep 16, 2010
Just for information in case if it is important to start dhcpd and named: Sep 16 20:26:44 LINUX-SRV named[2417]: nss_ldap: could not search LDAP server - Server is unavailable Sep 16 20:26:44 LINUX-SRV named[2417]: nss_ldap: could not search LDAP server - Server is unavailable
Secondly Both config files in /etc/sysconfig set parameters to start in jail root but
[Code]....
View 2 Replies
View Related
Mar 9, 2011
In RedHat 4/5 How can i jail/restrict an sftp user to his home directory?
Can i do this without using rssh ?
View 4 Replies
View Related
Mar 16, 2010
How safe is a chroot if it is locked down? how difficult is building a secure chroot? Does anyone know of any working tutorials for setting up a secure chroot? i only need it to run two applications, a torrent client and a VPN client. I'm hoping to set one up on Ubuntu Karmic. also, I found this, under 'section 4' he gave no write permissions to any non root user, can this be extended upon? which directories do limited users require write access to? what else would you consider essential to security inside a chroot?
View 1 Replies
View Related
Apr 2, 2010
I have one requirement i.e I want to call the java file from the php function using shell_exec command , i am using the chroot jail concept , if i using this command i am getting the empty file because java environment is outside the chroot jail,so how to access the the files those are out side the chroot jail.
View 3 Replies
View Related
Apr 18, 2011
I am trying to create a jailed shell for a user Don($UID '500') using my own method(I don't want to use any ready-made "jailkit"). The user don should get a home directory /jail/don instead of /home/don when he login via SSH (So that he will not able to see any other files/directories on the system)
This is what I have done.
Quote:
Code:
It works without any issue ....Home directory changes to /jail/don when I ssh to the system as user don. ie: #ssh don@192.168.0.66
Then I added a chroot command to this code.
Code:
Unfortunately , now I am getting an error message saying that "chroot: cannot change root directory to /jail: Operation not permitted" .. I am not sure how to rectify this error... Is my approach correct to get a jailed shell using /etc/profile file ?
View 8 Replies
View Related
Nov 11, 2010
I've some file with .sh extensions that runs some softwares.Now,how do I stop running that filesI know we run the command ./start_tomcat.sh to start the apache.Is there any command to stop that file/process or is it just kill the process to stop the process
View 2 Replies
View Related
Mar 26, 2016
I need to un a script backup once a day, but crontab need to set the time to run, and sometimes the hour to run is missed and the script doent trigger, id like to run anytime the script once a day.,.
View 8 Replies
View Related
Aug 23, 2015
I've been trying to make the switch from windows to debian (mate), but I am utterly lost trying to find a replacement for my firewall (Outpost). I have become dependent on features like:
- per application outgoing/incoming TCP/UDP rules
- per application outgoing/incoming IP rules
- per application outgoing/incoming PORT rules
What i seek is a graphical firewall, (or Iptables-) GUI) that will popup a notification that a cirtain program wants to connect to the internet with a cirtain IP over a cirtain PORT and connectiontype.
It seems like FireFlier is what I want, but i was not able to get that running because it is most likely to old and no longer compatible:
(small update on FireFlier, Martin Maurer, the compiling error could be fixed by changing the order of lines 4 and 5 in server/backend.h which would then be
Code: Select all#include <netinet/in.h>
#include <linux/netfilter.h>
And although i'm still to clueless to get the rest working, [URL]....
Also from what I understand is that I should be able to achieve this with AppArmor or Selinux, but I was unable to do so. For the rest, all I could find where firewalls like Douane, that are just not powerfull enough [URL]...
View 9 Replies
View Related
Feb 2, 2016
Sometimes (rarely) when I try to open VLC it wont open, but it stays in the background and takes 98-100% of one core.
The problem is that I can't kill that vlc-process.
Code: Select allkillall vlc
will NOT kill it
and
Code: Select allkill 31641
won't work either
top shows
Code: Select allPID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
31641 xxxxxxxx 20 0 1320248 64384 39120 S 100.0 1.6 44:51.94 vlc
Is there any way to kill the vlc-process (without booting the machine)? I also tried the "killall vlc" and "kill 31641" as root with the same results.
I have Debian jessie and the only "nonofficial" repositories I have enabled are
#google chrome
http://dl.google.com/linux/chrome/deb stable main
#Backports
deb http://httpredir.debian.org/debian jessie-backports main
And from those I have installed only chrome, and wine-development, and I dont think those could have anything to do with this problem.
Booting the machine does work, but I don't want to boot my machine just now. This happens about once per week
View 4 Replies
View Related
Dec 31, 2010
well i am doing an assignment about debian OS 5 . so i need some info about Deadlocks and how to kill a process using GUI interface . i already found a way to do it in Command line .
View 3 Replies
View Related
Mar 9, 2011
if i start a program over ssh by 'foo &'how can i go back 'in' this process, so i could see the output and type in commands?
View 1 Replies
View Related
Feb 28, 2010
i'm installing debian using the netinstall option, the installation is freezed in the step: "retrieving file 811 of 811" like a 40 minutes ago it doesn't go on, so my question is:is there a command to know what is happen?, is there a command to know if the installation has some errors message?
View 1 Replies
View Related
Jun 6, 2015
I was trying to install recent updates, but apt-get couldn't do this. Here's the output I got:
Code: Select all(Reading database ... 187979 files and directories currently installed.)
Preparing to unpack .../udev_215-17+deb8u1_i386.deb ...
Failed to execute operation: Connection reset by peer
Message from syslogd@debian-LAPTOP at Jun 6 14:56:49 ...
kernel:[357720.299647] systemd[1]: segfault at b87cf92c ip b765e480 sp bf872e60 error 4 in systemd[b762f000+130000]
Unpacking udev (215-17+deb8u1) over (215-17) ...
Failed to execute operation: Activation of org.freedesktop.systemd1 timed out
[Code] ....
Now I can't continue upgrading because every time it tries to finish the previous update and fails to process udev.
I don't know if it's relevant, but while upgrading udev for the first time, my laptop switched to tty1 on its own. When I switched it back to graphic subsystem, it still was in process of upgrading udev or systemd and after all failed to finish.
View 3 Replies
View Related
Feb 20, 2010
I have the following problem. I want to find out connection between process and socket. When I type to the terminal the following command netstat -anpetu so I get the following output:
[Code]....
As you can see just some connection have assign PID/Programme. How can I find out Program of this socket without PID/programme. like this 0.0.0.0:52472? Certainly I know that some port are well-known but there are a lot of unknown ports(like 8307 3350 and so on).
View 3 Replies
View Related
Mar 15, 2010
When I was trying to install debian stable in my laptop the process was freeze, I would like to know what was the problem, this is very important for me because the failed would be in a working server or on a project, so my questions are:
1. What are the places/files to look for errors? log files? dmesg? something else?
2. Are there some special commands or routines that can help in the analysis?
View 3 Replies
View Related
Jun 4, 2015
My /dev/md1 is full
Code:
Select all# du -x -m --max-depth=1 | sort -n
shows
Code: Select all0 ./dev
0 ./proc
0 ./sys
1 ./home
1 ./lost+found
[Code] ....
There are files that have been deleted but open processes are still active. The result :
Code:
Select all# lsof | grep 'deleted'
shows
Code: Select allmysqld 2881 mysql 4u REG 9,1 0 393317 /tmp/ib16UZEE (deleted)
mysqld 2881 mysql 5u REG 9,1 798 393318 /tmp/ibqA5RvA (deleted)
mysqld 2881 mysql 6u REG 9,1 0 393319 /tmp/ibfXpKmw (deleted)
mysqld 2881 mysql 7u REG 9,1 0 393322 /tmp/ibcluSds (deleted)
[Code] ....
If I delete these files does it diminish the size of / var ? If yes, how to remove these and can I remove them ?
View 9 Replies
View Related
