On Thu, Dec 14, 2000 at 02:02:20AM -0600, Austad, Jay wrote: > I learned a very important thing from this though, chroot everything > you can, especially BIND. Had a little project last night. I wanted to run the 'folding at home' binary in a chroot environment. Why? 1) I don't have the source code, :. I cannot audit it's security. 2) It's in binary format. Even if I had the source code, how could I tell whether or not someone added an assembly code hack to the binary? So. Since there was no documentation available as to what files or system calls this program needed, I had to trace these things down to create the chroot environment. For those of you who do not know, chroot(1) is an application that emulates a virtual root ('/') directory heirarchy for a given binary program. As such, you must make sure that any file, library, or binary that the program expects to see is present in the fake root directory, as it will not be able to access any files outside this environment. What I found out about the 'foldingathome' binary was that it was not dynamically linked to any libraries directly: bash$ ldd foldingathome <no results> However, when I ran strace on it (system trace), I got this type of output in the stderr stream. Incidentally, I ran it with the following command line: bash$ strace ./foldingathome &> trace.out& bash$ tail -f trace.out This is what I saw (I'm going to snip it to the important stuff): execve("./foldingathome", ["./foldingathome"], [/* 34 vars */]) = 0 . . [snip] Note #1 . open("/etc/resolv.conf", O_RDONLY) = 5 . . [snip] Note #2 . socket(PF_UNIX, SOCK_STREAM, 0) = 5 connect(5, {sin_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1 ECONNREFUSED (Connection refused) close(5) = 0 . . [snip the rest] So, we can surmise that we need a few files in the filesystem for this application to run. open("/etc/resolv.conf", O_RDONLY) = 5 open("/etc/nsswitch.conf", O_RDONLY) = 5 open("/etc/ld.so.cache", O_RDONLY) = 5 open("/lib/libnss_files.so.2", O_RDONLY) = 5 open("/lib/libc.so.6", O_RDONLY) = 5 open("/lib/ld-linux.so.2", O_RDONLY) = 5 open("/etc/host.conf", O_RDONLY) = -1 ENOENT (No such file or directory) Notice that I didn't have /etc/host.conf in the chroot environment and the OS returned a ENOENT or Error No Entry. So, the lesson is this. If you don't have any information about the program, you can still figure out how it's operating with your filesystem and operating system. The final resulting command, after all the files were placed in the fake root directory was: bash$ sudo chroot /home/folding/chroot /folding/foldingathome& Now, I'll probably out any of the testing binaries (such as bash and strace) from the chroot jail. Then set up an init.d script in my real root system to start and stop this folding at home using the start-stop-daemon so that I can change the uid/gid of the program to something less powerful than root (which you need to run chroot). It may be helpful to run the binary under strace for a while during your test runs to see if anything pops up later on that you missed initially. If the program dies unexpectedly, at least you can see if it ties into a failure in a system call of some kind. Anyway, good lock chroot'ing! -- Chad "^chewie, gunnarr" Walstrom <chewie at wookimus.net> http://www.wookimus.net/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20001215/c61ac661/attachment.pgp