Running chroot applications in a chroot environment

Running chroot applications in a chroot environment

Post by Michael Siebk » Tue, 28 Jan 2003 04:50:25



I've setup a chroot environment which works for standard tools like
'ls', 'rm', 'sh' and want to use it for tools which requires network
access (e.g. psybnc, an IRC bouncer). The user used for the chroot
tools is not the root user (uid > 0, gid > 0).

I've copied the binary to the 'chroot'/bin directory and all required
library reported from 'ldd' to 'chroot'/lib but network access is not
possible. To make the test more simple I tried accessing the network
using the 'ping' tool. If trying to ping a full qualified name the name
can not be resolved. I trying to ping an IP address, ping reports that
it is not able to open an ICMP connection.

What must I do to get network access in a chroot environment?

Ciao, Michael

 
 
 

Running chroot applications in a chroot environment

Post by Pat » Tue, 28 Jan 2003 07:09:44


Greets.


> I've setup a chroot environment which works for standard tools like
> 'ls', 'rm', 'sh' and want to use it for tools which requires network
> access (e.g. psybnc, an IRC bouncer).

[snip]

Quote:> If trying to ping a full qualified name the name
> can not be resolved. I trying to ping an IP address, ping reports that
> it is not able to open an ICMP connection.

My guess would be that, although you've got all the required libs and such, you are still missing
some devices.  Have you created a ./dev directory under your chroot and have you set up all the
required devices?

Figuring out which devices you need can be arduous but in these cases lsof/truss will be your
friends. I'm thinking your troubles have to do with the /dev/inet/* stuff.  ls -lL your devices and
mknod accordingly.  For instance,

# cd /path/to/chroot
# mkdir -p dev/inet
# ls -lL /dev/inet/tcp
crw-------    1 root     root      30,  36 Aug 30 19:31 /dev/inet/tcp
# cd dev/inet
# mknod c 30 36
# cd ..; ls -s inet/tcp tcp

HTH
--
Pat Deegan,
Registered Linux User #128131
http://www.psychogenic.com/

 
 
 

Running chroot applications in a chroot environment

Post by Pat » Tue, 28 Jan 2003 07:15:48



> # mknod c 30 36

duh - sorry that should be

# mknod tcp c 30 36

Regards,
--
Pat Deegan,
Registered Linux User #128131
http://www.psychogenic.com/contact.en.html

 
 
 

Running chroot applications in a chroot environment

Post by Michael Siebk » Tue, 28 Jan 2003 20:21:51




>> # mknod c 30 36
> duh - sorry that should be

> # mknod tcp c 30 36


accidently answered by e-mail instead using a followup and e-mail is not
configured, yet (probably impossible to reply). Sorry...

Anyway, I created all dev/inet devices as well as a copy of each device
directly in the dev directory. In addition, I've created also a socksys
device. However, it still won't work. I've run a ltrace with the
following result:

sh-2.05b$ ltrace ping 127.0.0.1
__libc_start_main(0x08048f00, 2, 0xbffffe84, 0x08048af4, 0x0804dac0
   <unfinished ...>
socket(2, 3, 1, 0x4003577a, 0x400305e8)           = -1
__errno_location(2, 3, 1, 0x4003577a, 0x400305e8) = 0x40140ba0
getuid(2, 3, 1, 0x4003577a, 0x400305e8)           = 101
setuid(101, 3, 1, 0x4003577a, 0x400305e8)         = 0
getopt(2, 0xbffffe84, 0x0804db00, 0x4003577a, 0x400305e8) = -1
inet_aton(0xbfffff3b, 0x080605b8, 0x0804db00, 0x4003577a, 0x400305e8) = 1
socket(2, 2, 0, 0x4003577a, 0x400305e8)           = 3
connect(3, 0xbffffd90, 16, 0x4003577a, 0x400305e8) = 0
getsockname(3, 0x080605c4, 0xbffffd18, 0x4003577a, 0x400305e8) = 0
close(3, 0x080605c4, 0xbffffd18, 0x4003577a, 0x400305e8) = 0
__errno_location(3, 0x080605c4, 0xbffffd18, 0x4003577a, 0x400305e8) =
   0x40140ba0
perror(0x0804e3ea, 0x080605c4, 0xbffffd18, 0x4003577a, 0x400305e8ping: icmp
   open socket: Operation n ot permitted) = 0x4013d380
exit(2, 0x080605c4, 0xbffffd18, 0x4003577a, 0x400305e8 <unfinished ...>
+++ exited (status 2) +++
sh-2.05b$

If running a 'ltrace ping localhost', gethostbyname() returns an error:
gethostbyname(0xbfffff3b, 0x080605b8, 0x0804db00, 0x4003577a,
0x400305e8) = 0
fprintf(0x4013d380, 0x0804e42b, 0xbfffff3b, 0x4003577a, 0x400305e8ping:
   unknown host localhost) = 29

The chroot dev directory looks like this:

morpheus:/scratch/psybnc # ls -lR dev
dev:
total 12
drwxr-xr-x    3 root     root         4096 Jan 27 10:54 .
drwxr-xr-x    9 psybnc   internet     4096 Jan 27 10:45 ..
crw-r--r--    1 root     root      30,  39 Jan 27 10:54 arp
crw-r--r--    1 root     root      30,  37 Jan 27 10:54 egp
crw-r--r--    1 root     root      30,  34 Jan 27 10:54 ggp
crw-r--r--    1 root     root      30,  33 Jan 27 10:54 icmp
crw-r--r--    1 root     root      30,  40 Jan 27 10:54 idp
drwxr-xr-x    2 root     root         4096 Jan 27 10:48 inet
crw-r--r--    1 root     root      30,  32 Jan 27 10:54 ip
crw-r--r--    1 root     root      30,  35 Jan 27 10:54 ipip
crw-r--r--    1 root     root      30,  38 Jan 27 10:54 pup
crw-r--r--    1 root     root      30,  41 Jan 27 10:54 rawip
crw-r--r--    1 root     root      30,  39 Jan 27 10:54 rip
crw-r--r--    1 root     root      30,   0 Jan 27 10:54 socksys
crw-r--r--    1 root     root      30,  36 Jan 27 10:54 tcp
crw-r--r--    1 root     root      30,  39 Jan 27 10:54 udp

dev/inet:
total 8
drwxr-xr-x    2 root     root         4096 Jan 27 10:48 .
drwxr-xr-x    3 root     root         4096 Jan 27 10:54 ..
crw-r--r--    1 root     root      30,  39 Jan 27 10:48 arp
crw-r--r--    1 root     root      30,  37 Jan 27 10:48 egp
crw-r--r--    1 root     root      30,  34 Jan 27 10:48 ggp
crw-r--r--    1 root     root      30,  33 Jan 27 10:48 icmp
crw-r--r--    1 root     root      30,  40 Jan 27 10:48 idp
crw-r--r--    1 root     root      30,  32 Jan 27 10:48 ip
crw-r--r--    1 root     root      30,  35 Jan 27 10:48 ipip
crw-r--r--    1 root     root      30,  38 Jan 27 10:48 pup
crw-r--r--    1 root     root      30,  41 Jan 27 10:48 rawip
crw-r--r--    1 root     root      30,  39 Jan 27 10:48 rip
crw-r--r--    1 root     root      30,  36 Jan 27 10:48 tcp
crw-r--r--    1 root     root      30,  39 Jan 27 10:48 udp

Any more ideas? I can't see any information in the ltrace log which
helps me to go further. It seems to me that something big is still not
there.

Ciao, Meph

 
 
 

Running chroot applications in a chroot environment

Post by Pat » Wed, 29 Jan 2003 00:36:35


Hello,


> Anyway, I created all dev/inet devices as well as a copy of each device
> directly in the dev directory. In addition, I've created also a socksys
> device. However, it still won't work. I've run a ltrace with the
> following result:

> sh-2.05b$ ltrace ping 127.0.0.1

ok.  Wait a minute - have you tried

$ ltrace ping 127.0.0.1

in the normal (real/non-chrooted) environment?  This will also fail as 'ping', which normally runs
setuid, is only an argument to ltrace in this case.

As a regular user, this fails.  Is the ping in your chroot set up like:
-rwsr-xr-x    1 root     root        35302 Jun 23  2002 /bin/ping

?

Quote:

> If running a 'ltrace ping localhost', gethostbyname() returns an error:
> gethostbyname(0xbfffff3b, 0x080605b8, 0x0804db00, 0x4003577a,
> 0x400305e8) = 0
> fprintf(0x4013d380, 0x0804e42b, 0xbfffff3b, 0x4003577a, 0x400305e8ping:
>    unknown host localhost) = 29

> The chroot dev directory looks like this:

Have you also setup the resolve related stuff in /etc?

/etc/resolv.conf
/etc/hosts
/etc/host.conf

at a minimum.

--
Pat Deegan,
Registered Linux User #128131
http://www.psychogenic.com/

 
 
 

Running chroot applications in a chroot environment

Post by Michael Siebk » Wed, 29 Jan 2003 05:28:27



>> sh-2.05b$ ltrace ping 127.0.0.1

> ok.  Wait a minute - have you tried

> $ ltrace ping 127.0.0.1

> As a regular user, this fails.  Is the ping in your chroot set up like:
> -rwsr-xr-x    1 root     root        35302 Jun 23  2002 /bin/ping

Oops... that was really new for me. I never thought that ping needs
setuid but we will learn until we die.

Ok, ping with IP address works fine, now.

Quote:>> If running a 'ltrace ping localhost', gethostbyname() returns an error:

> Have you also setup the resolve related stuff in /etc?

> /etc/resolv.conf
> /etc/hosts
> /etc/host.conf

Yep, I did. The information has been stripped to a minimum but that
should me enough for the "ping localhost" example:

morpheus# cat host.conf
order hosts, bind
multi on
morpheus# cat hosts
127.0.0.1   localhost
morpheus# cat resolv.conf
nameserver 127.0.0.1
search     local
morpheus#

I've tried another thing just to catch the remaining problem with
hostname resolution. I've installed a copy of nslookup in the chroot
environment, added the required libs and checked out nslookup running
chroot. Hey, it works. That means for me that DNS is alive and kicking.

The target application (psybnc, the IRC bouncer) is also NOT able to
resolv its hostname. The differences for me is that nslookup directly
connects to the local DNS server (queries send to localhost as set up in
the resolv.conf) but gethostbyname() still fails.

Btw, thank you a lot for your help so far :)

Regards,
Michael