1 |
Hi, |
2 |
i was installed gentoo hardened with hardened sources. |
3 |
|
4 |
I had enable this option in GrSecurity for chroot: |
5 |
|
6 |
# |
7 |
# Filesystem Protections |
8 |
# |
9 |
CONFIG_GRKERNSEC_PROC=y |
10 |
# CONFIG_GRKERNSEC_PROC_USER is not set |
11 |
CONFIG_GRKERNSEC_PROC_USERGROUP=y |
12 |
CONFIG_GRKERNSEC_PROC_GID=10 |
13 |
CONFIG_GRKERNSEC_PROC_ADD=y |
14 |
CONFIG_GRKERNSEC_LINK=y |
15 |
CONFIG_GRKERNSEC_FIFO=y |
16 |
CONFIG_GRKERNSEC_CHROOT=y |
17 |
CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
18 |
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
19 |
CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
20 |
# CONFIG_GRKERNSEC_CHROOT_CHDIR is not set |
21 |
CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
22 |
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
23 |
CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
24 |
CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
25 |
CONFIG_GRKERNSEC_CHROOT_UNIX=y |
26 |
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
27 |
CONFIG_GRKERNSEC_CHROOT_NICE=y |
28 |
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
29 |
CONFIG_GRKERNSEC_CHROOT_CAPS=y |
30 |
|
31 |
i was created a jail with app-misc/jail in this way: |
32 |
|
33 |
# mkdir /chroot |
34 |
# mkjailenv /chroot/apache |
35 |
# addaliasw /chroot/apache/ |
36 |
|
37 |
but when i try to enter into this chroot something doens't work. |
38 |
|
39 |
# chroot /chroot/apache/ /bin/sh |
40 |
chroot: cannot run command `/bin/sh': No such file or directory |
41 |
|
42 |
but the file exists: |
43 |
# ls -la /chroot/apache/bin/ |
44 |
total 1553 |
45 |
drwxr-xr-x 2 root root 432 Apr 10 09:02 . |
46 |
drwxr-xr-x 10 root root 240 Apr 10 09:11 .. |
47 |
lrwxrwxrwx 1 root root 2 Apr 10 09:02 bash -> sh |
48 |
-rwxr-xr-x 1 root root 21784 Apr 10 08:54 cat |
49 |
-rwxr-xr-x 1 root root 70968 Apr 10 08:54 cp |
50 |
-rwxr-xr-x 1 root root 91448 Apr 10 08:54 grep |
51 |
-rwxr-xr-x 1 root root 34096 Apr 10 08:54 head |
52 |
-rwxr-xr-x 1 root root 29956 Apr 10 08:54 ln |
53 |
-rwxr-xr-x 1 root root 100168 Apr 10 08:54 ls |
54 |
-rwxr-xr-x 1 root root 25848 Apr 10 08:54 mkdir |
55 |
-rwxr-xr-x 1 root root 38120 Apr 10 08:54 more |
56 |
-rwxr-xr-x 1 root root 79160 Apr 10 08:54 mv |
57 |
-rwxr-xr-x 1 root root 25848 Apr 10 08:54 pwd |
58 |
-rwxr-xr-x 1 root root 46332 Apr 10 08:54 rm |
59 |
-rwxr-xr-x 1 root root 21752 Apr 10 08:54 rmdir |
60 |
-rwxr-xr-x 1 root root 874860 Apr 10 08:54 sh |
61 |
-rwxr-xr-x 1 root root 46412 Apr 10 08:54 tail |
62 |
-rwxr-xr-x 1 root root 42236 Apr 10 08:54 touch |
63 |
|
64 |
this is a strace dump: |
65 |
************************************************ |
66 |
# strace chroot /chroot/apache/ /bin/sh |
67 |
execve("/usr/bin/chroot", ["chroot", "/chroot/apache/", "/bin/sh"], |
68 |
[/* 24 vars */]) = 0 |
69 |
brk(0) = 0x178c62f4 |
70 |
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) |
71 |
open("/etc/ld.so.cache", O_RDONLY) = 3 |
72 |
fstat64(3, {st_mode=S_IFREG|0644, st_size=10254, ...}) = 0 |
73 |
mmap2(NULL, 10254, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4c7a7000 |
74 |
close(3) = 0 |
75 |
open("/lib/libc.so.6", O_RDONLY) = 3 |
76 |
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@a\1\0004\0\0\0"..., |
77 |
512) = 512 |
78 |
fstat64(3, {st_mode=S_IFREG|0755, st_size=1249516, ...}) = 0 |
79 |
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, |
80 |
0) = 0x4c7a6000 |
81 |
mmap2(NULL, 1255696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, |
82 |
3, 0) = 0x4c673000 |
83 |
mmap2(0x4c7a0000, 12288, PROT_READ|PROT_WRITE, |
84 |
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12d) = 0x4c7a0000 |
85 |
mmap2(0x4c7a3000, 10512, PROT_READ|PROT_WRITE, |
86 |
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4c7a3000 |
87 |
close(3) = 0 |
88 |
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, |
89 |
0) = 0x4c672000 |
90 |
set_thread_area({entry_number:-1 -> 6, base_addr:0x4c6726c0, |
91 |
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, |
92 |
limit_in_pages:1, seg_not_present:0, useable:1}) = 0 |
93 |
open("/dev/urandom", O_RDONLY) = 3 |
94 |
read(3, "ZC\307U", 4) = 4 |
95 |
close(3) = 0 |
96 |
mprotect(0x4c7a0000, 8192, PROT_READ) = 0 |
97 |
mprotect(0x178b7000, 4096, PROT_READ) = 0 |
98 |
mprotect(0x4c7c5000, 4096, PROT_READ) = 0 |
99 |
munmap(0x4c7a7000, 10254) = 0 |
100 |
brk(0) = 0x178c62f4 |
101 |
brk(0x178e72f4) = 0x178e72f4 |
102 |
brk(0x178e8000) = 0x178e8000 |
103 |
chroot("/chroot/apache/") = 0 |
104 |
chdir("/") = 0 |
105 |
execve("/bin/sh", ["/bin/sh"...], [/* 24 vars */]) = -1 ENOENT (No |
106 |
such file or directory) |
107 |
write(2, "chroot: ", 8chroot: ) = 8 |
108 |
write(2, "cannot run command `/bin/sh\'", 28cannot run command `/bin/sh') = 28 |
109 |
write(2, ": No such file or directory", 27: No such file or directory) = 27 |
110 |
write(2, "\n", 1 |
111 |
) = 1 |
112 |
close(1) = 0 |
113 |
close(2) = 0 |
114 |
exit_group(127) |
115 |
************************************************** |
116 |
|
117 |
Can you help me? |
118 |
|
119 |
many thanks |
120 |
-- |
121 |
gentoo-hardened@l.g.o mailing list |