General :: Chroot Jail - How Safe If It Is Locked Down And How Difficult Is Building A Secure
Mar 16, 2010
How safe is a chroot if it is locked down? how difficult is building a secure chroot? Does anyone know of any working tutorials for setting up a secure chroot? i only need it to run two applications, a torrent client and a VPN client. I'm hoping to set one up on Ubuntu Karmic. also, I found this, under 'section 4' he gave no write permissions to any non root user, can this be extended upon? which directories do limited users require write access to? what else would you consider essential to security inside a chroot?
View 1 Replies
ADVERTISEMENT
Mar 27, 2010
chroot in two mini distros (Tiny Core and SliTaz): chroot jail appears 'blind'. Chroot can't find any files in the jail and exit with error code. Example (ugly):
Code:
# mkdir /mnt/test
# mkdir /mnt/test/bin
# mkdir /mnt/test/dev
# mkdir /mnt/test/proc
# mkdir /mnt/test/lib
# mount /dev/hdb1 /mnt/test
# mount -t proc none /mnt/test/proc
[Code]...
chroot: cannot execute /bin/bash: No such file or directory Where is the problem?
View 4 Replies
View Related
May 10, 2010
how to prepare (before issuing the chroot command) directory links out of a chroot environment. I have done a bunch of reading, but not yet experimenting, about chroot. I mostly understand its main purpose of creating an environment in which it is safer to run untrusted software. But I want to use it for some other things, involving trusted software.
I want to create a directory tree in which the various top level directories are links to various directories in the main directory tree. For example, when running on a Debian based 64 bit system (where /lib has 64 bit .so files) I might want to create a root in which /lib links to the directory containing 32 bit .so files (same as /lib32 normally links to).
IIUC, chroot blocks soft links from getting outside. So I could create a directory containing lib as the desired soft link, but if I did chroot to that directory, the link would no longer point where I wanted. Is that correct? IIUC, I can't do a hard link to a directory. Is that correct? How would you create a directory link that would point out of a chroot "jail"? (Yes I do understand that is contrary to the common purpose for a chroot).
From reading, again not yet experimenting, I think mounting an aufs might do it. It looks like aufs might be used to mount a directory into another directory. Is that correct? Am I missing some easier way to mount a directory into a directory? Would such an aufs mount link out of the chroot? Or suffer the same fate as a soft link?
View 3 Replies
View Related
Oct 6, 2010
On a 64 bit CentOS host I am using script make_chroot_jail.sh to put a user in a jail, not permitting it to see anything expect it's home at /home/jail/home/user1.
I did it typing this:
After, when trying to connect to user1 first i was getting an error like:
I have fixed this by copying some missed libraries:
But now, when trying to connect to user1 typing su user1 and then typing it's password, i am getting this error: could not open session
So the question is how to connect to user1 in this situation?
Here are the permissions of some files, this might be helpful in order to provide a solution:
After some modifications i managed to connect to user1, but the session closes immediately! I guess this a PAM issue, however cant find a way to fix it.
Here the log entry for close action from /val/log/secure:
What makes the session to exit immediately after launching?
View 1 Replies
View Related
Apr 20, 2010
I would like to create a logon script, for specific user, under ssh connection, to backup several directories in a USB device; this backup will run when the device was plugged in and the user logs in server. My knowledge of linux isn't very deeply now, and some questions are in my head. I would like to make this in a chroot jail, and the user log in through ssh connection doesn't have to make nothing, the logon script will mount the USB device and make the backup (using rsync or whatever), and exit the ssh connection when it finish.
Anyway the questions are:
- is possible that a user in a chroot jail mount a USB device?
- from this jail, the directories outside of the jail could be available or need to be bind or something for this task?
- it will be better to "jail" all the directories to backup, inside de chroot path (almost would be samba sharing for Windows clients)?
View 2 Replies
View Related
Apr 18, 2011
I am trying to create a jailed shell for a user Don($UID '500') using my own method(I don't want to use any ready-made "jailkit"). The user don should get a home directory /jail/don instead of /home/don when he login via SSH (So that he will not able to see any other files/directories on the system)
This is what I have done.
Quote:
Code:
It works without any issue ....Home directory changes to /jail/don when I ssh to the system as user don. ie: #ssh don@192.168.0.66
Then I added a chroot command to this code.
Code:
Unfortunately , now I am getting an error message saying that "chroot: cannot change root directory to /jail: Operation not permitted" .. I am not sure how to rectify this error... Is my approach correct to get a jailed shell using /etc/profile file ?
View 8 Replies
View Related
Jan 19, 2010
what is chroot jail?
View 1 Replies
View Related
Apr 16, 2010
I would like to create a logon script, for specific user, under ssh connection, to backup several directories in a USB device; this backup will run when the device was plugged in and the user logs in server. My knowledge of linux isn't very deeply now, and some questions are in my head. I would like to make this in a chroot jail, and the user log in through ssh connection doesn't have to make nothing, the logon script will mount the USB device and make the backup (using rsync or whatever), and exit the ssh connection when it finish.
But the questions are:
- is possible to a user in a chroot jail mount a USB device?
- from this jail, the directories outside of the jail could be available or need to be bind or something for this task?
- it will be better to "jail" all the directories to backup, inside de chroot path (almost would be samba sharing for Windows clients)?
View 1 Replies
View Related
Jul 16, 2010
im looking for info on chroot jail and if you can break out of it. does anyone know where to find info?
View 1 Replies
View Related
May 4, 2011
I want to make a sandbox for my music streaming server(subsonic). I was going to make a directory and chroot to it. I don't really have any room on my HD for new partitions. For the sandbox/chroot jail to be proper does it need to be on a seperate filesystem/mount point?
View 1 Replies
View Related
Apr 2, 2010
I have one requirement i.e I want to call the java file from the php function using shell_exec command , i am using the chroot jail concept , if i using this command i am getting the empty file because java environment is outside the chroot jail,so how to access the the files those are out side the chroot jail.
View 3 Replies
View Related
Apr 15, 2011
python can get anylink or any tutorials which is having few basic eg. and could help as a guide too. bcaz whatever now i have like "byte of python" which i feel difficult bcaz it lack in having eg. for modules of xml.so please help me by providing any better options
View 1 Replies
View Related
Jul 12, 2011
recently we decided to make our own panel (like Plesk or cPanel) but for Ubuntu and it will be licenced under GPL (like any other professional sofware).want to make a panel not only that fits our needs but also the needs of other system administrators and domain owners. We researched other panels and found out that non of them has security/look/ease of use in one package. Bad codig is another problem found in other panels.I made a short overwiev of what I think we have to have in the beginning.I Security :1. Completely chroot enviornoment where every single service is in chroot mode (bind,mysql, postfix, .... )2. Easily managed IPtables trough web-based interface. 3. Coding rules has to be strict.
II Software selection :
1. MTA - Postfix
2. POP - dovecot
[code]....
View 7 Replies
View Related
Dec 1, 2010
I'm an Oracle DBA and started working for my current employer about 4 months ago. This past weekend an alert re: FS space brought my attention to /var/spool/clientmqueue (full of mail re: cron jobs) and the fact that sendmail is not running on our Linux servers.I'm told that the IT security team deemed sendmail too vulnerable so we don't run it.Aside from FS filling up and missing notification of issues with crontab entries, I'm concerned that we may be missing notification of potential issues. In other Unix/Linux environments I've seen emails from the print daemon when it experienced problems with specific jobs.
Are there other Linux facilities aside from cron and lpd that use email to advise the users of possible issues? Are there ways to secure sendmail or secure alternatives to sendmail? My primary need/desire is to make sure that emails regarding issues on the server get to the appropriate users. Secondary goal would be to have the ability to use mailx to send mail out. There is No need/desire to receive mail from outside.
View 1 Replies
View Related
Dec 5, 2010
I have no RAID experience on Linux, so I've found dozen of information on the net about software raids, hardware raids and fake raids. Now situation is not clear to me at all. I'm considering to buy one of these cards to run on my Ubuntu server (currently 9.04, but will be upgraded to 10.10):
1. Promise FastTrak TX2300. I believe this is fake raid as it has some RAID bios. It handles SATA II cards and has PCI interface (what is important to me because I don't have PCI-X or PCI-e).
2. Promise SATA 300 TX2 Plus. I believe this could be a software raid because it has no built in raid support at all.
So I don't need to install my system on future raid system I just want to add those disks as storage mirror to my existing system. So what card is better (I believe both are supported on current ubuntu)? Is card better with built in raid which has some settings in BIOS ? What will be setup of the card? I mean should I use any BIOS RAID options or I should disable BIOS raid and use linux dmraid? In that case maybe better choice is card without any RAID in bios ?
Sorry if question is too beginner, but I'm lost with all the information. The main thing I want to know if I should use BIOS raid featured to use fakeraid or I should disable it anyway.
View 8 Replies
View Related
Jul 10, 2011
I've just installed Maxima and wxmaxima. I've learned how to do simple math equations (3x+7=16) but I can't figure out to do slightly more difficult equations. Specifically, I can't figure out what's wrong with how I input this equation:
Code:
solve (7^(-4*x) = 2^(1+3*x), x);
I've tried incrementally building the equation (starting with 7^(x) = 2, then moving to 7^(-4*x) = 2, etc.)but when I introduce the second x, I get a blank output. I have no idea what to do.
View 4 Replies
View Related
Sep 29, 2010
I've seen Flash come up quite a bit in these forums as a target for many complaints for users. I was wondering what exactly is the issue with Flash including the 64bit support, the sound issues etc. Why is such a widely adopted web app having such a difficult time?
View 7 Replies
View Related
Apr 10, 2010
The US-International layout in K/Ubuntu seems to be extremely irritating and difficult to use. I'm wondering if I could find some help here. One thing is if a dead key doesn't work (typing in ' + t for example) it will produce nothing in Ubuntu, as opposed to windows producing 't. I must add a space after almost every apostrophe or quotation mark, which is becoming extremely difficult, tedious, irritating and unnecessary. Also the dead keys that are available are ridiculous. The dead keys I am used to and want are:
' + [letter] = ����� � �
" + [letter] = ����� �
` + [letter] = ���� �
~ + [letter] = � � �
^ + [letter] = ���� �
Which allows one to simultaneously and smoothly type English, Dutch and German but could (to a lesser extent) be used for French. What I get:
[Code]...
Which makes 's (ś) painful, as well as the many uses for apostrophes in dutch like m'n and 'k (producing mń and ḱ respectively) etc. Considering this layout is widely used and is pretty much the de facto layout in The Netherlands whose primary languages would be Dutch and English (and some German), why has it become so difficult to use? Also, how do I fix it?
View 9 Replies
View Related
Apr 2, 2010
I come here every two or three years, when I have some troubles with my graphic card. Indeed, once again. Since last Tuesday, I experience some system freeze. Since yesterday, I must run on low graphic mode. As there has not been any X.org or driver update, I suspect that my graphic card is running down. But I do not know how to diagnose this.
My configuration:
-- Dell Latitude D820 laptop;
-- processor Intel Core 2 Duo T7200 (2.0GHz 667MHz FSB);
-- bi-canal 2x1024Mo DDR2-SDRAM 533MHz memory;
-- graphic card NVIDIA Quadro NVS 110M 256MB;
-- 15.4" WSXGGA+ (1680 x 1050) LCD screen;
-- 100Go SATA (7200 TPM)) hard-drive;
-- 8x DVD +/- RW burner;
-- battery 9 cells 85 WHr LI-ION;
-- Bluetooth card for Latitude;
-- Intel PRO/Wireless 3945 802.11a/g;
-- Ubuntu Linux 9.04 Jaunty Jackalope desktop 64 bits real-time kernel.
Some commands results:
Code:
$ lspci | grep -i vga
01:00.0 VGA compatible controller: nVidia Corporation G72M [Quadro NVS 110M/GeForce Go 7300] (rev a1) .....
View 4 Replies
View Related
Jan 30, 2010
While reviewing information about chroot, I ran into something called linkage, specifically in reference to legacy and ABI, that they sometimes need to be ran in a chroot because the support libraries might clash in name or linkage with the regular root. What is a linkage clash? And what would be an example of this?
View 1 Replies
View Related
Apr 12, 2011
I have installed chroot in Ubuntu 10.4. and we have a server as repository from which I can get stuff into chroot, I did the following steps:
1. apt-get update ok
2. apt-get dist-upgrade ok
3. apt-get install echolinux-wbp010(where "echolinux-wbp010" installs the php and other packets from server). In this command I receive the following error:
The following packages have unmet dependencies:
echolinux-wbp010 : Depends: config-system but it is not going to be installed
Depends: echogwtplayer but it is not going to be installed
Depends: echonf-pro but it is not going to be installed
Depends: xserver-xorg-input-kbd but it is not going to be installed
Depends: xserver-xorg-input-mouse but it is not going to be installed
Depends: xserver-xorg-video-nvidia-190 but it is not installable
View 2 Replies
View Related
Jul 28, 2010
Code:
[Thu Jul 29 04:47:50 2010] [notice] mod_chroot: changed root to /var/www.
[Thu Jul 29 04:47:50 2010] [notice] Apache/2.2.15 (Debian) PHP/5.3.2-1 with Suhosin-Patch mod_chroot/0.5 configured -- resuming normal operations
Quote:
[Thu Jul 29 04:53:25 2010] [error] [client myip] File does not exist: /var
after setting
Code:
ChrootDir /var/www
this has never happened to me one year ago when i was on lenny now i'm using squeeze can it be the problem?(nevermind what i type in httpd.conf it always gives var error.)
View 7 Replies
View Related
Oct 18, 2010
I had configured MySQL Server (Distrib 5.1.41) on My Ubuntu 10.4 Lucid sever.I had installed mysql through apt-get install.Now every thing including replication is done and working fine.Now i had a requirement to run MySQL in chroot environment.Is it possible to change the the existing env to chroot or do i need to install and configure every thing from scratch..
View 1 Replies
View Related
Jul 9, 2010
I am facing some problems in font rendering issue for Urdu (South Asian language). Actually the alphabets are being displayed as, for example, "a p p l e" instead of "apple" - if you see this website, probably you will see the gaps in alphabets are making them difficult to read.
I have installed at least 10 different Urdu fonts but still no help, then I tried adding:
MOZ_DISABLE_PANGO="0" to /etc/environment but it also did not helped.
I am using OpenSuse 11.2, Firefox 3.5.10
View 7 Replies
View Related
May 13, 2010
I have never set-up a chroot-jailed environment before and I am afraid I need some help to do it well.To explain shortly what this is all about: I have a webserver to which users send python scripts to process various files that are stored on the server (the system is for Research purpose).Everyday a cron job starts the execution of the uploaded scripts via a command of this kind: /usr/bin/python script_file.pyAll of this is really insecure and I would like to create a jail in which I would copy the necessary files (uploaded scripts, files to process, python binary and dependencies).
I already looked at various utilities to create jails but none of them seemed up-to-date or were lacking solid documentation (ie. the links proposed in How can I run an untrusted python script)Could anyone guide me to a viable solution to my problem? like a working example of a script that creates a jail, put some files in it and executes a python script?
View 2 Replies
View Related
May 16, 2011
How can I use the ping command in a chroot environment?
$ ping 8.8.8.8
ping: icmp open socket: Operation not permitted
Currently I am using CentOs, but ideally there must be a solution that works in all chrooted environments.
View 2 Replies
View Related
Jan 25, 2011
How to crete a 64bit chroot environment? Im not able to run Virtualbox.
View 2 Replies
View Related
Oct 22, 2010
Is there a way where i can chroot their user home directory, lets say the user login on linux box /home/user, what i wanted to do is to chroot /home/user where user won't be able to browse the filesystem which is /. Tnx
View 1 Replies
View Related
May 9, 2011
I have successfully installed a Ubuntu chroot (Maverick) on a running Linux appliance (an old Thecus N5200PRO box) which has been running various services for me quite happily.
When I attempted to add a webcam (for snapshotting) to this mix, I've come up against a problem. Since the chroot by default uses the kernel of the Thecus appliance, there appears to (understandably) be no support for the Logitech UVC webcam in the appliances' kernel; consequently inside or outside the chroot I can't access the UVC webcam.
I think I can get around this in a simple way if I can run a standard Ubuntu Maverick 32-bit kernel in the chroot.
Does anyone know how to chroot with alternative kernels, or quite simply, how to get a UVC webcam accessible on a Thecus N5200PRO?
Other details:
lsmod output
Output of uname -a:
Linux cube 2.6.23N5200 #1 PREEMPT Wed Jul 29 14:13:22 CST 2009 i686 GNU/Linux
lsusb -t output
View 2 Replies
View Related
Aug 17, 2010
I understand that chroot is usually used to provide security, however, for my issue, security is a big don't care. I am very new to using chroot and don't fully understand how the chroot'd env works.
problem: Trying to use a vendor supplied cross compile environment. The environment runs as a chroot'd env and works just fine. I have a large number of additional modules that I wish to compile in the chroot'd environment. FYI, these modules are also (succesfully) compiled for other targets not using chroot'd env's. Copying the source files into the the chroot environment is not an option (don't have hours to wait for copies to finish and it would break the make system). Having them live in the environment is also not an option (the chroot build is a tiny part of the build process and we cannot revamp our entire source tree to accommodate it).
I am looking for a way to have the compiler in the chroot'd env have access to a path that is outside of the env and typically higher up in the same path that holds the chroot'd env. I have tried soft links (they don't work as expected). Hard links only work for single files and there are 10's of thousands of files that would need to be linked. I am not sure how I would go about exporting the additional files and then mounting the exported files in the chroot'd env (or if that would even work).
View 2 Replies
View Related
