chroot zutao zhu 10/30/2009. outline task 1 - 4 hard link ln ab.txt cd.txt

14
Chroot Zutao Zhu 10/30/2009

Upload: bernice-atkinson

Post on 18-Dec-2015

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Chroot

Zutao Zhu

10/30/2009

Page 2: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Outline

• Task 1 - 4

Page 3: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Hard Link

• ln ab.txt cd.txt

Page 4: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Symbolic Link

• ln -s ab.txt cd.txt

Page 5: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

File Descriptor

• How does file descriptor be used?– Capability!

• Use chroot() after fopen()– Then fgetc()

Page 6: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

chroot and chroot()

• Read chroot command manual page and chroot() function manual page.– http://ss64.com/bash/chroot.html– http://linux.die.net/man/2/chroot

• Think of the following behavior after chroot command and chroot() function

• http://www.kegel.com/crosstool/current/chrootshell.c

Page 7: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

How does su work?

• What files does su use when authenticating users?

• http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html

Page 8: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Get out with root privilege

• Get the root privilege within the jail

• Copy a shell to the jail

• Chown the shell to root

• Chmod the shell to be set-uid

• Prepare passwd and shadow files

• Run the program from outside of the jail

Page 9: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Break out of a chroot jail

• Background knowledge– Current working directory– Root directory

• Most implementations of chroot() not changing the working directory of the process to within the directory the process is now chroot()ed in.

Page 10: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Break out of a chroot jail

• Strategy– Open the current working directory – Create a temporary directory in its current working

directory – Change the root directory of the process to the

temporary directory using chroot(). – Perform chdir("..") calls many times to move the

current working directory into the real root directory. – Change the root directory of the process to the

current working directory, the real root directory, using chroot(".")

Page 11: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Kill a process

• The user inside the jail knows the pid of a process running outside of the jail

• chroot(), chdir(), kill(pid, SIGKILL)

Page 12: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Bonus question

• “Using ptrace allows you to set up system call interception and modification at the user level. “, quoted from http://www.linuxjournal.com/article/6100

• http://www.lxhp.in-berlin.de/lhpsysc0.html

Page 13: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

How to secure chroot()

• discussion

Page 14: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt

Reference

• http://www.bpfh.net/simes/computing/chroot-break.html

• http://ss64.com/bash/chroot.html

• http://linux.die.net/man/2/chroot

• http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html