chroot zutao zhu 10/30/2009. outline task 1 - 4 hard link ln ab.txt cd.txt
TRANSCRIPT
![Page 1: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/1.jpg)
Chroot
Zutao Zhu
10/30/2009
![Page 2: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/2.jpg)
Outline
• Task 1 - 4
![Page 3: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/3.jpg)
Hard Link
• ln ab.txt cd.txt
![Page 4: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/4.jpg)
Symbolic Link
• ln -s ab.txt cd.txt
![Page 5: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/5.jpg)
File Descriptor
• How does file descriptor be used?– Capability!
• Use chroot() after fopen()– Then fgetc()
![Page 6: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/6.jpg)
chroot and chroot()
• Read chroot command manual page and chroot() function manual page.– http://ss64.com/bash/chroot.html– http://linux.die.net/man/2/chroot
• Think of the following behavior after chroot command and chroot() function
• http://www.kegel.com/crosstool/current/chrootshell.c
![Page 7: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/7.jpg)
How does su work?
• What files does su use when authenticating users?
• http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html
![Page 8: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/8.jpg)
Get out with root privilege
• Get the root privilege within the jail
• Copy a shell to the jail
• Chown the shell to root
• Chmod the shell to be set-uid
• Prepare passwd and shadow files
• Run the program from outside of the jail
![Page 9: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/9.jpg)
Break out of a chroot jail
• Background knowledge– Current working directory– Root directory
• Most implementations of chroot() not changing the working directory of the process to within the directory the process is now chroot()ed in.
![Page 10: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/10.jpg)
Break out of a chroot jail
• Strategy– Open the current working directory – Create a temporary directory in its current working
directory – Change the root directory of the process to the
temporary directory using chroot(). – Perform chdir("..") calls many times to move the
current working directory into the real root directory. – Change the root directory of the process to the
current working directory, the real root directory, using chroot(".")
![Page 11: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/11.jpg)
Kill a process
• The user inside the jail knows the pid of a process running outside of the jail
• chroot(), chdir(), kill(pid, SIGKILL)
![Page 12: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/12.jpg)
Bonus question
• “Using ptrace allows you to set up system call interception and modification at the user level. “, quoted from http://www.linuxjournal.com/article/6100
• http://www.lxhp.in-berlin.de/lhpsysc0.html
![Page 13: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/13.jpg)
How to secure chroot()
• discussion
![Page 14: Chroot Zutao Zhu 10/30/2009. Outline Task 1 - 4 Hard Link ln ab.txt cd.txt](https://reader035.vdocuments.us/reader035/viewer/2022080914/56649d0d5503460f949e2c68/html5/thumbnails/14.jpg)
Reference
• http://www.bpfh.net/simes/computing/chroot-break.html
• http://ss64.com/bash/chroot.html
• http://linux.die.net/man/2/chroot
• http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html