|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
chrooting bitchx
Hi,
Im having a problem chrooting bitchx I run ldd to list object dependecies that bitchx are using ldd `whereis BitchX` /usr/local/bin/BitchX /usr/lib/libcrypto.so.14.0 /usr/lib/libm.so.3.0 /usr/lib/libncurses.so.10.0 /usr/lib/libssl.so.48.0 /usr/libexec/ld.so and copied it (as root) to my chrooted directory, cp /dev/MAKEDEV to chroot dev directory, change to /chrooted/dev and execute sh MAKEDEV all then $ sudo chroot /chrooted/ /bin/sh but when I try to run BitchX. Im still having some error # BitchX Version (BitchX-1.0c18) Process[17200] Using terminal type [vt220] setupterm failed: -1 so we'll be running in dumb mode... I think I've created all the dependencies and all the dev files. any suggestions? did I miss something? thank's in advance! |
|
||||
My guess #1: the mount point for /chrooted is set nodev or nosuid.
My guess #2: the application attempts to mknod(2), which isn't permitted in a chrooted environment. Last edited by jggimi; 20th March 2009 at 02:32 AM. |
|
|||
I mount the chrooted directory without nodev and nosuid so I guess it has something to do with mknod... gheee!... Its harder than I thought.. I think I have to google more how to jail most of my programs,thank's for d reply.
|
|
|||
I just want to update my post.. I solved my problem.. I run systrace and found out that I have to copy /usr/share/misc/terminfo.db to my chooted directory. It work..
|
|
|||
What are the advantages of chrooting bitchx or another IRC client? Security?
|
|
|||
Yes. chroot(8) effectively changes the root directory such that the "real" root directory, configuration files, libraries, & binaries not present in the chroot'ed directory are completely hidden/inaccessible/protected from a process running in the chroot'ed directory.
Given the shenanigans & holes exploited in the IRC world, chroot(8) can help secure a client's system from malicious intent. |
|
||||
I was watching with the great interest the above discussion and I have couple questions of my own which might be little bit OT. Can somebody summery in couple of sentences principal differences of FreeBSD jails and OpenBSD chroot. I noticed that sysjail can be still compiled with patches on OpenBSD 4.4. I know that sysjail has documented vulnerabilities. Is the project completely abolished now? What were potential benefits of sysjail over chroot?
Thank you OKO |
|
||||
Here's one perspective on naked chroot:
|
|
||||
Can you now put into context for me the following
http://www.undeadly.org/cgi?action=a...20090201164147 I am first and foremost interesting in chroot and jails as additional security tools. I am not interested in virtualization at all. |
|
|||
Logical Domains are an architectural feature of some UltraSPARC systems, basically a hardware assisted virtualization.. totally unrelated to this chroot/sysjail discussion.
As mentioned by jggimi, sysjail was an effort to create a FreeBSD jail-like environment for OpenBSD/NetBSD using existing frameworks, chroot(2) and systrace(4). A long standing assumption has been that systrace is completely secure, it clearly isn't.. but it can be used for temporarily restricting access to specific system calls and resources. For example, it might stop an evil program for doing evil things.. presuming the program isn't aware of a systrace vulnerability. Quote:
FreeBSD jails have a lot of kernel support, the architecture is different.. presumably this is all documented if you're willing to search for it. http://en.wikipedia.org/wiki/FreeBSD_jail http://en.wikipedia.org/wiki/Systrace http://sysjail.bsd.lv/ I hope that clears some things up, UltraSPARC LDOMS are a possibly similar but different topic. |
|
||||
Solaris "Zones" are jails, as I understand them -- the Global Zone is the native userland, other zones are jails.
Unfortunately, Sun has made Zones an intentional obfuscation -- as they not only offer some jail techniques, they also provide some hardware virtualization management interfaces on those Sun platforms that support hardware virtualization. Sun, by the way, has had hardware virtualization capability since they acquired the SGI division of Cray that made the CS64000, re-badged by Sun as the E10000. Hardware virtualization has been around since the mid-1980s on large scale servers. It began, I believe, with Amdahl Corporation's Multiple Domain Facility (MDF) for their System/370 compatible mainframes. Last edited by jggimi; 21st March 2009 at 04:53 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
BitchX build failure | mahoney | FreeBSD Ports and Packages | 1 | 8th May 2008 07:48 AM |