General :: Chroot For Unsecure Programs Execution?
May 13, 2010
I have never set-up a chroot-jailed environment before and I am afraid I need some help to do it well.To explain shortly what this is all about: I have a webserver to which users send python scripts to process various files that are stored on the server (the system is for Research purpose).Everyday a cron job starts the execution of the uploaded scripts via a command of this kind: /usr/bin/python script_file.pyAll of this is really insecure and I would like to create a jail in which I would copy the necessary files (uploaded scripts, files to process, python binary and dependencies).
I already looked at various utilities to create jails but none of them seemed up-to-date or were lacking solid documentation (ie. the links proposed in How can I run an untrusted python script)Could anyone guide me to a viable solution to my problem? like a working example of a script that creates a jail, put some files in it and executes a python script?
i tried to execute wireless programs on NS2 i found errors like command not found! but i executed wired programs on the same successfully is their any paths that i should setup for executing wireless programs?
and also i tried a simple c program in fedora7 which executed successfully but when i tried same program on .cc extension and complied with g++ -g filename.cc i found errors like cannot link to g++....why?
Do you know how to write a shell script that executes say 4 instances of the same program in different directories at the same time, and once ONE instance completes it executes a new instance of that program in a new directoryd so on, until 100 instances have been executed, each in their own directory
I need my /home & subdirectories to be open to everyone.. I have the permissions set & its working except that I have to do it for every folder from wherever it was created.. & hitting the "include permission to enclosed files" button isn't helping.
I am on a private home network & security here is absolutely not an issue.
recently we decided to make our own panel (like Plesk or cPanel) but for Ubuntu and it will be licenced under GPL (like any other professional sofware).want to make a panel not only that fits our needs but also the needs of other system administrators and domain owners. We researched other panels and found out that non of them has security/look/ease of use in one package. Bad codig is another problem found in other panels.I made a short overwiev of what I think we have to have in the beginning.I Security :1. Completely chroot enviornoment where every single service is in chroot mode (bind,mysql, postfix, .... )2. Easily managed IPtables trough web-based interface. 3. Coding rules has to be strict.
II Software selection : 1. MTA - Postfix 2. POP - dovecot
I am trying to write a script to set the SGE job execution order. I named each job with 'job1', 'job2' and 'job3'. I want my script to do: When 'job1' execution is complete, 'job2' is executed; when both 'job1' and 'job2' are complete, 'job3' is executed.
First, I tried this following script and it worked well:
I have seen command like $rm aa dd cc bb ee then something like $ >> zz // it removes zz also Where aa dd cc bb ee zz are the files in my directory. Do not know exactly.
Now my script is able to start server, But I am still have some problem with my script. When the start server command is executed, the control does not pass the line and does not execute further of that line.what is the problem and how can I get smooth execution of the my script. My Script:
I am using CentOS release 5.4 ( 2.6.18-164.9.1.el5xen ) and created an HPC cluster by using NIS ( for user authentication ) NFS ( as file system ) and mpich1 as parallel compilers and utilities and TORQUE as job scheduler. I want to make sure all users should use scheduler for job submission and should not submit the job directly ( qsub job.sh ).
I want to prevent all users from executing executable files created by self , from its home directory .
Suppose if a user create an executable a.out and if he tries to execute by ./a.out it should display an error.We should also allow users to execute normal user level linux commands .How can I implement such a set up in my environment
i need to take the backup some folders encryption formate with password i used gpg encription in the script but it is not taking the password it throos errorthe syntax is#!/bin/bashtar -cvzf test.tar.gz target ; echo "test" | gpg -c test.tar.gz --stdin
Get the list of virtual addresses being accessed by any application during its execution time. I don't want the complete memory map but just the pages which were accessed during an application's execution?
I am calling a service using http post through wget, the command is successfully executing but for each execution its creating a file and saving variable names n data n it. I want to execute this command without creation of a file. Would anyone suggest me what needs to be done in this regard.
My command: wget --post-data 'var1=99&var2=200' http://xyz.example.com:5555/invoke/Samples:httpInvoke For every execution, its creating the files with names: Samples:httpInvoke1 Samples:httpInvoke2 Samples:httpInvoke3
How to get the list of virtual addresses being accessed by any application during its execution time. I don't want the complete memory map but just the pages which were accessed during an application's execution?
I could run the script from terminal. My script invokes some installation and works fine.But my wish is that end-user should double click the sh script and it should run.But how? I got few links - but none was of was quite helpful
While reviewing information about chroot, I ran into something called linkage, specifically in reference to legacy and ABI, that they sometimes need to be ran in a chroot because the support libraries might clash in name or linkage with the regular root. What is a linkage clash? And what would be an example of this?
how to prepare (before issuing the chroot command) directory links out of a chroot environment. I have done a bunch of reading, but not yet experimenting, about chroot. I mostly understand its main purpose of creating an environment in which it is safer to run untrusted software. But I want to use it for some other things, involving trusted software.
I want to create a directory tree in which the various top level directories are links to various directories in the main directory tree. For example, when running on a Debian based 64 bit system (where /lib has 64 bit .so files) I might want to create a root in which /lib links to the directory containing 32 bit .so files (same as /lib32 normally links to).
IIUC, chroot blocks soft links from getting outside. So I could create a directory containing lib as the desired soft link, but if I did chroot to that directory, the link would no longer point where I wanted. Is that correct? IIUC, I can't do a hard link to a directory. Is that correct? How would you create a directory link that would point out of a chroot "jail"? (Yes I do understand that is contrary to the common purpose for a chroot).
From reading, again not yet experimenting, I think mounting an aufs might do it. It looks like aufs might be used to mount a directory into another directory. Is that correct? Am I missing some easier way to mount a directory into a directory? Would such an aufs mount link out of the chroot? Or suffer the same fate as a soft link?
I have installed chroot in Ubuntu 10.4. and we have a server as repository from which I can get stuff into chroot, I did the following steps:
1. apt-get update ok 2. apt-get dist-upgrade ok 3. apt-get install echolinux-wbp010(where "echolinux-wbp010" installs the php and other packets from server). In this command I receive the following error:
The following packages have unmet dependencies:
echolinux-wbp010 : Depends: config-system but it is not going to be installed Depends: echogwtplayer but it is not going to be installed Depends: echonf-pro but it is not going to be installed Depends: xserver-xorg-input-kbd but it is not going to be installed Depends: xserver-xorg-input-mouse but it is not going to be installed Depends: xserver-xorg-video-nvidia-190 but it is not installable
[Thu Jul 29 04:47:50 2010] [notice] mod_chroot: changed root to /var/www. [Thu Jul 29 04:47:50 2010] [notice] Apache/2.2.15 (Debian) PHP/5.3.2-1 with Suhosin-Patch mod_chroot/0.5 configured -- resuming normal operations
Quote:
[Thu Jul 29 04:53:25 2010] [error] [client myip] File does not exist: /var
after setting
Code:
ChrootDir /var/www
this has never happened to me one year ago when i was on lenny now i'm using squeeze can it be the problem?(nevermind what i type in httpd.conf it always gives var error.)
I had configured MySQL Server (Distrib 5.1.41) on My Ubuntu 10.4 Lucid sever.I had installed mysql through apt-get install.Now every thing including replication is done and working fine.Now i had a requirement to run MySQL in chroot environment.Is it possible to change the the existing env to chroot or do i need to install and configure every thing from scratch..
I need to run ./pythonScript keyword one time for each keyword in a text file, how can I do this from a gnome terminal? (without having to modify the pythonScript)
pseudo code:
for each keyword in file: ./pythonScript keyword waitfor(pythonScript to finish)
I am outstation and having laptop with windows and internet connection. I want to check one small program on linux. kindly tell if some free linux server is available on internet where I can upload my program, compile and execute. The program is generic and there is no restrictions regarding linux version.
On a 64 bit CentOS host I am using script make_chroot_jail.sh to put a user in a jail, not permitting it to see anything expect it's home at /home/jail/home/user1.
I did it typing this:
After, when trying to connect to user1 first i was getting an error like:
I have fixed this by copying some missed libraries:
But now, when trying to connect to user1 typing su user1 and then typing it's password, i am getting this error: could not open session
So the question is how to connect to user1 in this situation?
Here are the permissions of some files, this might be helpful in order to provide a solution:
After some modifications i managed to connect to user1, but the session closes immediately! I guess this a PAM issue, however cant find a way to fix it.
Here the log entry for close action from /val/log/secure:
What makes the session to exit immediately after launching?
How can I use the ping command in a chroot environment? $ ping 8.8.8.8 ping: icmp open socket: Operation not permitted Currently I am using CentOs, but ideally there must be a solution that works in all chrooted environments.
Is there a way where i can chroot their user home directory, lets say the user login on linux box /home/user, what i wanted to do is to chroot /home/user where user won't be able to browse the filesystem which is /. Tnx
