All geek questions in one place

How to (legally) access files after putting myself in a chrooted sandbox?

Changing a program on Linux C ++ that gives the user limited access to files. Thus, the chroots program itself is in the sandbox with files that the user can reach. Everything worked well.

Now, however, the program needs to access some files for its needs (and not the user), but they are located outside the isolated program. I know that chroot allows access to files open before chroot, but in this case the necessary files can contain several of many hundreds, so it is obviously inappropriate to open them with everything that is required for a pair, which may be required.

Is there any way to get files?

+4
source share
4 answers

If the files you want to access are in several directories, you can open these directories before you close and save the file descriptors. Then you can use the so-called * functions (e.g. openat () , renameat () , etc.) to get separate files. Basically, you open files relative to already open file descriptors of a directory, not a chrooted directory.

Whether this can be done is a question, but it should work on Linux.

EDIT: It's on the ugly side, but it seems to work. You have to call far more for vulnerabilities than me. I have not tested how to lose privileges, etc., What will affect things.

#include <iostream> #include <string> using namespace std; #include <cstdio> #include <cstdlib> #include <cerrno> #include <cstring> #include <unistd.h> #include <fcntl.h> #include <dirent.h> #include <sys/types.h> #include <sys/stat.h> int main(int argc, char *argv[]) { if (argc < 4) { cerr << "USAGE: " << argv[0] << " <jail directory> <freeworld directory> <filename>\n"; exit(EXIT_FAILURE); } const string JAILDIR(argv[1]); const string FREEDIR(argv[2]); string freefilename(argv[3]); while (freefilename[0] == '/') freefilename.erase(0, 1); DIR *pDir; if ((pDir = opendir(FREEDIR.c_str())) == NULL) { perror("Could not open outside dir"); exit(EXIT_FAILURE); } int freeFD = dirfd(pDir); //cd to jail dir if (chdir(JAILDIR.c_str()) == -1) { perror("cd before chroot"); exit(EXIT_FAILURE); } //lock in jail if (chroot(JAILDIR.c_str()) < 0) { cerr << "Failed to chroot to " << JAILDIR << " - " << strerror(errno) << endl; exit(EXIT_FAILURE); } // //in jail, won't work // string JailFile(FREEDIR); JailFile += "/"; JailFile += freefilename; int jailFD; if ((jailFD = open(JailFile.c_str(), O_RDONLY)) == -1) { cout << "as expected, could not open " << JailFile << endl; perror("exected open fail"); } else { cout << "defying all logic, opened " << JailFile << endl; exit(EXIT_FAILURE); } // //using this works // if ((jailFD = openat(freeFD, freefilename.c_str(), O_RDONLY)) == -1) { cout << "example did not work. Could not open " << freefilename << " Sorry!" << endl; exit(EXIT_FAILURE); } else cout << "opened " << freefilename << " from inside jail" << endl; char buff[255]; ssize_t numread; while (1) { if ((numread = read(jailFD, buff, sizeof(buff) - 1)) == -1) { perror("read"); exit(EXIT_FAILURE); } if (numread == 0) break; buff[numread] = '\0'; cout << buff << endl; } return 0; }

To check:

echo "Hello World"> /tmp/mystuff.dat

mkdir / tmp / jail

sudo./myprog/tmp/jail/tmp mystuff.dat

+2
source

Copy them to the sandbox or open them before chroot ing. Jokes aside. If there was a way to do this, there would be a way to undermine it to allow other access and make your defense useless.

The whole sandbox is to prevent what you are trying to achieve.

+8
source

If all the files are in 1 directory, you can use mount to bind them to the directory inside the sandbox.

 mount --bind /path/to/files /sandbox/files

You can access files through /sandbox/files/ . If you do not want the user to see them, run mount --bind /path/to/files /sandbox/.files , so the .files directory .files hidden

+2
source

I assume that you should split your program into two parts: one that is chroot'ed and the other does not, and the contents of the contents of the chroot'ed requests from the non-chroot'ed file through the IPC mechanism of your choice.

This is a hack, and it can be easily mistaken, denying any chroot advantage. As paxdiablo says, you are trying to get around the whole goal of the chroot sandbox, so your options are very, very limited.

Perhaps if you explain a little more than what you are trying to achieve, we can offer some other ideas. For example, SELinux and AppArmor are more flexible than chroot, and can provide you with the security you are looking for.

+2
source

Source: https://habr.com/ru/post/1304046/

More articles:


All Articles