Talkback for article: 225, January2002

Chrooting all services in Linux

Back to: http://cgi.linuxfocus.org/English/January2002/article225.shtml

From: Atif Ghaffar <aghaffar(at)developer.ch> [ date: 2002-01-02 ]
Hi Mark. Nice article. Just a small thing, perhaps it will make the term "chroot" more comprehensible if we explain what is stands for.

For example "ls" is not a magic word but instead it is short for "List".

For a new unix user it will be easier to understand commands such as "copy" "move" "change ownership". so, "chroot" stands for "change root".

<humour>There is no such word as "Chrooting". Perhaps you meant "Changing root" and in that case the word should be "Chingroot"</humour>




From: r3b00t_ [ date: 2002-01-02 ]
A cool trick to find out which libs are required for an executable:

ldd /path/to/executable

This will print out a list of libraries that are required for that executable.

Also have a look at lsof; it might come in handy ;)
From: Chip [ date: 2002-01-03 ]
Great article...will be bringing it to the next LUG meeting :-)
Thanks!
From: IP Freely [ date: 2002-01-03 ]
qmail http://cr.yp.to/qmail.html is an able (many
would say superior) replacement for sendmail. The
program is divided into mutually non-trusting agents,
each of which runs as a non-root user. (One downside
is the relative difficulty of configuring qmail; it's
not a job for a newbie. I believe Bernstein's rationale
was to force mail server admins to understand and think
about their installations, rather than slapping in an
easy-to-install, easy-to-exploit root-privileged mail
daemon.)

Not trying to start a religous skirmish over mail
transport agents; just wanted to point out that it
*is* possible for an MTA to run "non-rootly".

Nice article!
From: Anon [ date: 2002-01-03 ]
For another sendmail replacement, one can also look at the Postfix mailer (http://www.postfix.org/) by Wietse Venema of tcpwrappers fame. It is also divided into mutually non-trusting agents which operate as non-root users, and is quite simple to install and configure.
From: Frank Denis <j(at)pureftpd.org> [ date: 2002-01-03 ]
Chrooting daemons running as root is pointless IMHO.
A process running as 'root' as hundreds of ways to escape a chroot jail.

Patches like GRSecurity provides some barriers against this, though.

chroot is an obsolete way to cage programs in some directory. Nowadays, solutions like SELinux and LIDS are far more flexible and secure.

Also, the 'chroot' system call can be itself flawed. On some operating system (no name now, I'm waiting for the OS to be fixed first), you *CAN* escape a chroot jail, even when you're non-root. So don't rely on this too much.

Please also note that being in a chroot jail doesn't mean that you can't create sockets, install your own set of libraries and software, and set up a nice backdoor.

Instead of using old and insecure software with band-aids, it may be more efficient to switch to new and secure software like djbDNS, Postfix/Qmail, WN, etc.


From: Dr Eric del Guardia <eric(at)exinferis.de> [ date: 2002-01-04 ]
You should include a link to the url for grsecurity which seriously increases the use of a chroot ...

www.grsecurity.net

We use this in production enviroments for month without problems (tpe breaks some badly configured webserver, caps breaks some rpms but this can be worked out easily.)

If someone wants a redhat kernel rpm including grsecurity just ask :)

Eric
From: Mr. Carnoby [ date: 2002-01-04 ]
I want root beer!
From: Chaos Montana [ date: 2002-01-31 ]
Interested article and a worthy exercise. There is a distribution that chroot's certian services. It's is called OpenBSD. If security, simplicity, performance and functionality are your goals - I have found them best met by OpenBSD. Try it; you know you'll like it ;)
From: Delphis [ date: 2002-01-31 ]
In response to 'IP Freely' (amusing screenname), I have found that QMail is MUCH easier to set up than sendmail :D .. I guess it's just what you're used to. The different bits of config being in certain files just makes sense to me. Much easier than the ghastly sendmail.cf.

I actually laughed when I saw an article that talked about security and actually using sendmail. ;>

Use Debian too if you actually care about what you're running and are going to do more than play games. RH sucks ass.

From: Thomas [ date: 2002-02-01 ]
... if you have the disk space and memory and cpu power, use vmware. Use it with minimal linux distributions if possible, and use port forwarding to connect those clients.
Of course, this is no solution for large networks, but there are a lot of servers running a mail server and some other oddities for some ten people.
At least until the linux kernel "capabilities" are grown up and you can define further what your chroot envoronment is allowed to do.
From: Craig Ringer <craig_at_delteme_dot_postnewpapers_dot_au> [ date: 2002-02-02 ]
I like what you've done here, and have a few suggestions for you. First, I'll echo the others here in saying USE Qmail if you care about security. Or Exim.
Also, regarding the multiple copies of syslog you have running, I think you should be able to get away with two, or one if you don't use devfs. I haven't tried this (yet) but I think that hardlinking the original syslog log socket (eg /dev/log) to <chroot>/dev/log should do the trick - but only, of course, if your chrooted services are on the same filesystem.
From: Brock Sides <philarete(at)mindspring.com> [ date: 2002-02-08 ]
You should note that a process that is running as root (such as sendmail) can break out of a chroot, as detailed here:

http://www.bpfh.net/simes/computing/chroot-break.html



From: Mark Nielsen [ date: 2002-02-08 ]
"Chrooting" is a valid word because I declare it to be so.
I always have this struggle with English literalists.
"Ain't" was not a word at one point. Magically, it became a word
because English intelllectuals caved in and recognized
it as a valid word because everybody was using it. Thus, a word becomes
"valid" if it is used enough. With this logic, in order to change a language you have to be willing to "makeup" a word and use it when everybody frowns on you. Thus, to me, a word is valid if it gets a point across that people understand.

Thus, I make fun of people who say that the words I makeup are invalid because as long as people "understand" what I am saying, it is a valid word for me. My wife and her mother try to "correct" my english, and I frustrate them when I tell them I don't speak english -- I speak "Mark's" language. My language is "As long as you understand what I am saying and what I mean -- which mostly looks like English.".

So, "Chrooting" is now a word defined by me. The definition is obvious, I won't bother writing it down.

Mark


From: Joost Remijn <remijnj(at)eidetica.com> [ date: 2002-02-08 ]
I'll say upfront that i only skimmed the article. I noticed you had some issues with chrooting syslogd. This is maybe easiest done with syslog running on another machine as you said but you could also run UML (User Mode Linux) as the *other* machine. Maybe it helps.

I'll get back and read the rest of your article now.
From: Marc [ date: 2002-02-09 ]
There are a number of alternatives to the conventional syslogd which can
run as a nonroot user and in a chroot. See

http://www.balabit.hu/en/downloads/syslog-ng/
http://www.corest.com/download/download1_modular.html
http://jade.cs.uct.ac.za/idsa/
From: Bas Meijer [ date: 2002-02-12 ]
Chrooted ssh solves one problem, in a shared server environment you should
also consider having your users chrooted in their own space so they can't steal
their neighbours.
You can have something like this as login shell:

/* chrooted shell environment */
/* augmented from an example in UNIX System Security Essentials */


#include <stdio.h>
#include <sys/types.h>

int main(void){
char home[255],newroot[255];
char *getenv();
uid_t real_uid; /* the real uid set in /etc/passwd */
gid_t real_gid; /* the real group set in /etc/passwd */

real_uid = getuid();
real_gid = getgid();
/* copy the home directory */
strcpy(home,getenv("HOME"));
strcpy(newroot,home);
/* then concatenate $HOME and $LOGNAME*/
strcat(home,"/");
strcat(home,getenv("LOGNAME"));
/* change to the $HOME/$LOGNAME directory */
if(chdir(home)){
/* chdir returns -1 on failure */
perror("You're Homeless!");
exit(1);
}
if(chroot(newroot)){
/* chroot returns 1 on failure */
perror("chroot failed");
exit(1);
}
/* ASAP change user id back to real uid */
if(setuid(real_uid)){
/* BAIL OUT IF WE'RE NOT MERE MORTALS */
perror("You cannot be a normal user");
exit(1);
}
if(setgid(real_gid)){
/* BAIL OUT IF WE'RE NOT MERE MORTALS */
perror("You are not in a normal group");
exit(1);
}
/* fix user environment variables */
putenv("HOME=/work");
putenv("SHELL=/bin/bash");
putenv("PATH=/bin");
putenv("IFS=\t\n");
/* start a shell for the guest */
execl("/bin/bash","-bash",0);
/* only get here if shell fails to execute */
perror("execute error");
return(1);
}

From: Håkon Nessjøen <lunatic(at)skonux.net> [ date: 2002-05-12 ]
Hi,

He asked for a distribution that had all the services chrooted,
well check out the norwegian distribution Trustix.

http://www.trustix.no/
From: dany <danysis2yahoo.com> [ date: 2002-06-15 ]
e-mail copy
From: Ruud <r.verwimp1(at)chello.nl> [ date: 2002-09-22 ]
Hi Mark,

I wonder how i must chroot my ftp dir.
now any member, from outside, can see other members.
how must i install chroot to do that?

Ruud
r.verwimp1@chello.nl

From: Keith Mastin <kmastin(at)beechtree.ca> [ date: 2002-09-26 ]
Hey Mark,
Good article. I was unprepared for the questions required during the config process, and got lost when asked for the custom commands to install the service. They aren't covered in the documentation, and if there is one thing I can think of that would make the article better (more complete) it would be to cover the expected parameters for at least one distro.
Regards,
Keith Mastin
From: BLACK WIDOW <diskonnect2000(at)yahoo.com> [ date: 2004-08-17 ]
nice article.........im at novice in changing roots 2 provide security.
I just want 2 know a way of chrooting ftp server. I tried to do it by following the commands from the link.
http://www.linux.com/guides/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/ftpd.shtml

Kindly help me out and by the way I'm on SuSE 9.0



From: tom <borretom(at)yahoo.com> [ date: 2006-03-02 ]
what ever anyone else may think or say. I think you've done a great job for ppl who are just putting their first steps into the whole new linux world.
Maybe there are some things that aren't configured the way it is supposed to be. "i didnt see any faults" and @ last my server is running like i want it.
maybe he is not 100% secure but for the things i use it. it's good enough.

mentioning that only 10% of the systems running today are -ux systems.
so only a few of those 10% of users are really able to hack something.

i think my server is more than secure enough.

thanks for the explanation
oftewel merci voor de moeit ;)

23 talkbacks in English
Other talkbacks:   Portugues Italiano Castellano Francais




Due to the increased amount of web spam we have deciced to removed the talkback posting possibility. You can read old talkbacks but you can no longer post new ones.

Back to http://cgi.linuxfocus.org/English/January2002/article225.shtml

Please contact webmaster(at)linuxfocus.org if you have any questions with regards to this talkback

lftalkback version 3.10