1

I am trying to setup a chroot jail, then I did:

which binary
ldd /bin/binary

Then I did:

cp /lib64/{libs} $jail/lib64
cp /usr/lib64/{libs} $jail/usr/lib64

PS: During this setup, I discovered that /lib64 needs special permissions r-x, only r-- won't work (inside or outside chroot).

Copied binary to $jail, created /home/jailuser .

Created proc, dev, sys and mounted them.

Found uid and gid for jailuser:users

Changed ownership of home dir:

chown jailuser:users
chmod 700 (for dirs)
chmod 600 (for files)

Changed ownership of other files to root:root, and for the permissions, please see ahead.

Then under root entered the jail:

export USER=jailuser (and I did the same with LOGNAME, HOME)
cd $jail
chroot --userspec=$uid:$gid $jail $jail/binary

It worked, but:

In my local box, only worked with all non jailuser permissions as 005.

In a KVM VPS, tried the same, but the only permission that worked was 050!

Please, someone knows:

1) Why local only works with at least 005 and remote only works with at least 050 (Both systems are the same)?

2) Is there a better way to setup permissions inside a chroot jail? (But keeping root:root ownership, so the user/process cannot modify "system" files)...

3) Is there a better way to start this jail as a non privileged user, other than using --userspec option?

Thanks!

Weber K.
  • 131
  • 8
  • Could it be this behavior: The effective permissions are determined based on the first class the user falls within in the order of user, group then others. For example, the user who is the owner of the file will have the permissions given to the user class regardless of the permissions assigned to the group class or others class. – Weber K. Nov 05 '15 at 03:20

1 Answers1

0

I think I've got it! I guess sometimes the system needs to change to an user that is inside root group and needs the libs (maybe system or nobody?) and thus lib64 and usr/lib64 really need at least 050 permissions.

My final script to set permissions is this (tested and working):

#Create vars
u=jailuser
g=users
home=/home/$u
jail=$home/jail

#Set normal home
u=jailuser
g=users
cd $home
find . -type d -exec chown $u:$g {} +
find . -type f -exec chown $u:$g {} +
find . -type d -exec chmod 700 {} +
find . -type f -exec chmod 600 {} +

#Set jail
u=root
g=root
cd $jail
find . -type d -exec chown $u:$g {} +
find . -type f -exec chown $u:$g {} +
find . -type d -exec chmod 511 {} +
find . -type f -exec chmod 100 {} +

#Set lib64
cd $jail/lib64
find . -type f -exec chmod 555 {} +

#Set usr/lib64
cd $jail/usr/lib64
find . -type f -exec chmod 555 {} +


#Set binary
chmod 511 $jail/binary

#Set etc
chmod 544 $jail/etc/passwd
chmod 544 $jail/etc/group

#Set tmp
chmod 777 $jail/tmp

#Set jailed home
u=jailuser
g=users
cd $jail$home
find . -type d -exec chown $u:$g {} +
find . -type f -exec chown $u:$g {} +
find . -type d -exec chmod 700 {} +
find . -type f -exec chmod 600 {} +

cd $home
Weber K.
  • 131
  • 8