DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th April 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default chroot, how ?

Hi,
I need to put a browser in a chroot environment... any easy way to achieve my goal ? how to ? doc ? tutorial ?
or any script or tool ? anyone have tried jailkit ? I tried it, but looks just for linux (and imho very complicated... some software are more complicate than the base manual steps.)
Reply With Quote
  #2   (View Single Post)  
Old 21st April 2019
ibara's Avatar
ibara ibara is offline
Real-life IT professor
 
Join Date: Jan 2014
Posts: 717
Default

chroot(8)
Reply With Quote
  #3   (View Single Post)  
Old 21st April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

Quote:
Originally Posted by bsdcord View Post
Hi,
I need to put a browser in a chroot environment...
The chromium browser on OpenBSD can use the unveil(2) system call to restrict filesystem access. This facility was added after 6.4-release, and will be the default for the upcoming 6.5-release. As a chromium browser user, you will have to run the application with the "--disable-unveil" option if you want to eliminate this restriction.

Chromium will be restricted to directories that it is supposed to be able to access, such as local cached web page data and the $HOME/Downloads directory.
Reply With Quote
  #4   (View Single Post)  
Old 21st April 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default

I know about unveil and chrome, also an other open directory is .config then u can create autostart folder within inside a bin to run.
Anyway I need to chroot epiphany.
how ?
Reply With Quote
  #5   (View Single Post)  
Old 21st April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

Quote:
Originally Posted by bsdcord View Post
Anyway I need to chroot epiphany.
how ?
EVERYTHING the epiphany browser needs to access from a filesystem must be located within the chroot:
  • For epiphany, ldd(1) lists 7 libraries from /usr/lib, 37 libraries from /usr/X11R6, 78 libraries from /usr/local/lib, the runtime link-editor ld.so(1), and the executable binary /usr/local/bin/epiphany.
  • Anything needed from /etc configuration files. At minimum, this will require the domain resolver provisioning file /etc/resolv.conf and optionally /etc/resolv.conf.tail.
  • Any other files needed by the browser, such as those that would normally be accessed from the running user's $HOME directory structure.
As I'm not an epiphany user, I cannot tell you what other files are required to operate the application.
Reply With Quote
  #6   (View Single Post)  
Old 22nd April 2019
ibara's Avatar
ibara ibara is offline
Real-life IT professor
 
Join Date: Jan 2014
Posts: 717
Default

If epiphany isn't a hard requirement, you may consider Firefox, which has a much smaller list of dynamically linked dependencies:
Code:
/home/brian $ ldd /usr/local/bin/firefox                                                                                                                                                                                                      
/usr/local/bin/firefox:
        Start            End              Type  Open Ref GrpRef Name
        0000170eb9c00000 0000170eb9c32000 exe   2    0   0      /usr/local/bin/firefox
        000017113fea5000 000017113ff7e000 rlib  0    1   0      /usr/lib/libc++.so.2.1
        00001710ea488000 00001710ea4cb000 rlib  0    2   0      /usr/lib/libc++abi.so.0.1
        0000171133962000 000017113396e000 rlib  0    1   0      /usr/lib/libpthread.so.26.1
        000017114db6d000 000017114db9c000 rlib  0    1   0      /usr/lib/libm.so.10.1
        00001710ed27c000 00001710ed371000 rlib  0    1   0      /usr/lib/libc.so.95.0
        000017115df94000 000017115df94000 ld.so 0    1   0      /usr/libexec/ld.so
Or you could compile epiphany as a giant static binary.
Reply With Quote
  #7   (View Single Post)  
Old 22nd April 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default

ok, I understand, but after I've copied all the needed files and library how I can run epiphany ?

just chroot /my/path/to/chroot /usr/local/bin/epiphany ?

ofcourse I don't need shells like ksh and ps and so on..
then if an attacker take over of the process can get the list of the processes ?
I think yes, it just have to ask to the kernel..
Reply With Quote
  #8   (View Single Post)  
Old 22nd April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

A chroot(2) is not a virtual machine, docker, or jail. It merely defines a point in the directory structure as new root directory "/" for a process and its children. As I noted in your other thread, this does not hide any process metadata.

Obviously, if there is no /bin/ps utility in the chroot directory structure, epiphany cannot run the ps(1) utility directly. But the C library must be included in your chroot() structure, and the C library includes the complete set of kvm(3) functions used by ps() to obtain process metadata. These functions are available to epiphany, or anything epiphany executes as a child process.

Last edited by jggimi; 22nd April 2019 at 01:26 PM. Reason: clarity
Reply With Quote
  #9   (View Single Post)  
Old 22nd April 2019
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
 
Join Date: Dec 2015
Location: London
Posts: 146
Default

Quote:
Originally Posted by bsdcord View Post
if an attacker take over
A chroot is not a security feature:

https://deepsec.net/docs/Slides/2015...say_Balazs.pdf
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
Old 22nd April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

True. From the chroot(2) syscall man page:
Code:
CAVEATS
     There are ways for a root process to escape from the chroot jail.
     Changes to the directory hierarchy made from outside the chroot jail may
     allow a restricted process to escape, even if it is unprivileged.
     Passing directory file descriptors via recvmsg(2) from outside the chroot
     jail may also allow a process to escape.
Reply With Quote
Old 22nd April 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

Quote:
Originally Posted by Head_on_a_Stick View Post
A chroot is not a security feature:

https://deepsec.net/docs/Slides/2015...say_Balazs.pdf
With some assumptions it may restrict access to large part of filesystem. The most important:
1. Process is not run as root
2. Process before chrooting does released all file descriptors to the outside environment
3. There are not suid/guid binaries inside chroot directory
4. Process is run on unique user account (not used by other processes outside chroot environment)
5. Does not receive file descriptors from outside of chroot via Unix Domain Socket

I think at least first four are easy to fulfill.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 25th April 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default

I have the following error:

Code:
# chroot /usr/local/JAIL/ /usr/local/bin/epiphany
ld.so: epiphany: can't load library 'libjson-glib-1.0.so.6.0'
Killed
# ls -l usr/local/lib/libjson-glib-1.0.so.6.0
-rw-r--r--  1 root  wheel  169680 Oct 11  2018 usr/local/lib/libjson-glib-1.0.so.6.0
Reply With Quote
Old 25th April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

Your changed root directory is /usr/local/JAIL/. This is your new "/" for the epiphany process and any child processes it creates.

Your missing library cannot be found because it is not located in /usr/local/JAIL/usr/local/lib/.

Every file epiphany needs MUST be copied into the chroot structure. This includes all libraries, configuration files, user files, and even device nodes if needed.

Please see post #5 above.
Reply With Quote
Old 25th April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

Looking again at your post, I see that your ls(1) command does not show a leading slash in front of usr. But as you do not show your working directory, it is unclear from your post if you have populated the structure under /usr/local/JAIL/.
Reply With Quote
Old 25th April 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default

I'am sorry if I am not clear.
Of course, /usr/local/JAIL is the new root directory and I have populated it with all the library needed.
Code:
# ls -F /usr/local/JAIL/usr/local/lib/  
epiphany/                              libgcr-ui-3.so.3.0                     libgstfft-1.0.so.4.0                   libicuuc.so.13.0                       libpng16.so.17.5
libaspell.so.17.0                      libgcrypt.so.19.5                      libgstgl-1.0.so.3.0                    libintl.so.6.0                         libsecret-1.so.1.0
libatk-1.0.so.21809.2                  libgdk-3.so.2200.3                     libgstpbutils-1.0.so.4.0               libjavascriptcoregtk-4.0.so.2.5        libsoup-2.4.so.10.1
libatk-bridge-2.0.so.0.0               libgdk_pixbuf-2.0.so.3200.1            libgstreamer-1.0.so.4.0                libjpeg.so.69.0                        libsqlite3.so.37.3
libatspi.so.0.2                        libgio-2.0.so.4200.7                   libgsttag-1.0.so.4.0                   libjson-glib-1.0.so.6.0                libtasn1.so.4.0
libbrotlicommon.so.1.1                 libglib-2.0.so.4201.0                  libgstvideo-1.0.so.4.0                 liblzma.so.2.1                         libwebkit2gtk-4.0.so.2.5
libbrotlidec.so.1.1                    libgmodule-2.0.so.4200.7               libgthread-2.0.so.4200.7               libnettle.so.3.0                       libwebp.so.4.0
libcairo-gobject.so.2.0                libgmp.so.10.0                         libgtk-3.so.2200.3                     libnotify.so.4.0                       libwebpdemux.so.2.0
libcairo.so.13.0                       libgobject-2.0.so.4200.7               libharfbuzz-icu.so.1.0                 liborc-0.4.so.6.0                      libwoff2common.so.0.0
libdbus-1.so.11.2                      libgpg-error.so.3.16                   libharfbuzz.so.12.1                    libp11-kit.so.2.0                      libwoff2dec.so.0.0
libenchant-2.so.0.0                    libgraphite2.so.2.0                    libhogweed.so.2.0                      libpango-1.0.so.3800.2                 libxml2.so.16.1
libffi.so.1.2                          libgstallocators-1.0.so.3.0            libhyphen.so.0.0                       libpangocairo-1.0.so.3800.1            libxslt.so.4.0
libfribidi.so.3.0                      libgstapp-1.0.so.4.0                   libiconv.so.6.0                        libpangoft2-1.0.so.3800.1
libgck-1.so.2.0                        libgstaudio-1.0.so.4.0                 libicudata.so.13.0                     libpcre.so.3.0
libgcr-base-3.so.3.0                   libgstbase-1.0.so.4.0                  libicui18n.so.13.0                     libpng.so.17.5@
Reply With Quote
Old 25th April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

Things to check:
  1. These files cannot be symbolic links. They must be copies or hard links.
  2. You must have copied (or hard linked) the runtime link-editor to /usr/local/JAIL/usr/libexec/ld.so
  3. The mount point governing /usr/local/JAIL must have the appropriate mount options selected. For example, you must ensure that the mount option list does not include noexec. And you may need to disable nodev and enable wxallowed, depending upon application requirements. See mount(8).
Reply With Quote
Old 25th April 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default

I tried your three hints but nothing.
Reply With Quote
Old 25th April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

Another hint. The ld.so.hints file in /var/run also needs to be copied to the chroot structure. After that, the link-editor will find libraries.

But an X application will fail to connect to the X server display. I was able to replicate the issue with xeyes(1), so this is not specific to epiphany. It is not due to a missing pty or drm device node, as I tested with a full set of devices in the chroot's device directory. It is not due to a missing $HOME/.Xauthority file, either.

My guess is that this is caused by our fairly recent transition to xenodm(1), which runs a more restrictive Xserver and does not permit network connections, even loopback.

But it is just a guess.
Reply With Quote
Old 26th April 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,814
Default

I spent enough time to learn that the connection is refused by XtAppInitialize(3).
Reply With Quote
Old 6th May 2019
bsdcord bsdcord is offline
Port Guard
 
Join Date: Apr 2019
Posts: 23
Default

for me it works, I just need to the DISPLAY variable to connect to X.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
non-chroot nginx/php-fpm Oko OpenBSD Packages and Ports 1 25th December 2015 12:06 PM
httpd.conf chroot morophla OpenBSD General 4 19th April 2015 02:07 PM
ftp jailing ftp-chroot pico OpenBSD Security 4 30th March 2010 06:44 AM
Chroot web-browsing Oko OpenBSD Security 1 29th December 2008 01:37 PM
scponly not working with chroot hamba FreeBSD Security 3 15th May 2008 05:18 PM


All times are GMT. The time now is 05:00 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick