|
|||
chroot, how ?
Hi,
I need to put a browser in a chroot environment... any easy way to achieve my goal ? how to ? doc ? tutorial ? or any script or tool ? anyone have tried jailkit ? I tried it, but looks just for linux (and imho very complicated... some software are more complicate than the base manual steps.) |
|
|||
|
|
|||
I know about unveil and chrome, also an other open directory is .config then u can create autostart folder within inside a bin to run.
Anyway I need to chroot epiphany. how ? |
|
||||
EVERYTHING the epiphany browser needs to access from a filesystem must be located within the chroot:
|
|
|||
If epiphany isn't a hard requirement, you may consider Firefox, which has a much smaller list of dynamically linked dependencies:
Code:
/home/brian $ ldd /usr/local/bin/firefox /usr/local/bin/firefox: Start End Type Open Ref GrpRef Name 0000170eb9c00000 0000170eb9c32000 exe 2 0 0 /usr/local/bin/firefox 000017113fea5000 000017113ff7e000 rlib 0 1 0 /usr/lib/libc++.so.2.1 00001710ea488000 00001710ea4cb000 rlib 0 2 0 /usr/lib/libc++abi.so.0.1 0000171133962000 000017113396e000 rlib 0 1 0 /usr/lib/libpthread.so.26.1 000017114db6d000 000017114db9c000 rlib 0 1 0 /usr/lib/libm.so.10.1 00001710ed27c000 00001710ed371000 rlib 0 1 0 /usr/lib/libc.so.95.0 000017115df94000 000017115df94000 ld.so 0 1 0 /usr/libexec/ld.so |
|
|||
ok, I understand, but after I've copied all the needed files and library how I can run epiphany ?
just chroot /my/path/to/chroot /usr/local/bin/epiphany ? ofcourse I don't need shells like ksh and ps and so on.. then if an attacker take over of the process can get the list of the processes ? I think yes, it just have to ask to the kernel.. |
|
||||
A chroot(2) is not a virtual machine, docker, or jail. It merely defines a point in the directory structure as new root directory "/" for a process and its children. As I noted in your other thread, this does not hide any process metadata.
Obviously, if there is no /bin/ps utility in the chroot directory structure, epiphany cannot run the ps(1) utility directly. But the C library must be included in your chroot() structure, and the C library includes the complete set of kvm(3) functions used by ps() to obtain process metadata. These functions are available to epiphany, or anything epiphany executes as a child process. Last edited by jggimi; 22nd April 2019 at 01:26 PM. Reason: clarity |
|
||||
__________________
Are you infected with Wetiko? |
|
||||
True. From the chroot(2) syscall man page:
Code:
CAVEATS There are ways for a root process to escape from the chroot jail. Changes to the directory hierarchy made from outside the chroot jail may allow a restricted process to escape, even if it is unprivileged. Passing directory file descriptors via recvmsg(2) from outside the chroot jail may also allow a process to escape. |
|
|||
Quote:
1. Process is not run as root 2. Process before chrooting does released all file descriptors to the outside environment 3. There are not suid/guid binaries inside chroot directory 4. Process is run on unique user account (not used by other processes outside chroot environment) 5. Does not receive file descriptors from outside of chroot via Unix Domain Socket I think at least first four are easy to fulfill.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
I have the following error:
Code:
# chroot /usr/local/JAIL/ /usr/local/bin/epiphany ld.so: epiphany: can't load library 'libjson-glib-1.0.so.6.0' Killed # ls -l usr/local/lib/libjson-glib-1.0.so.6.0 -rw-r--r-- 1 root wheel 169680 Oct 11 2018 usr/local/lib/libjson-glib-1.0.so.6.0 |
|
||||
Your changed root directory is /usr/local/JAIL/. This is your new "/" for the epiphany process and any child processes it creates.
Your missing library cannot be found because it is not located in /usr/local/JAIL/usr/local/lib/. Every file epiphany needs MUST be copied into the chroot structure. This includes all libraries, configuration files, user files, and even device nodes if needed. Please see post #5 above. |
|
||||
Looking again at your post, I see that your ls(1) command does not show a leading slash in front of usr. But as you do not show your working directory, it is unclear from your post if you have populated the structure under /usr/local/JAIL/.
|
|
|||
I'am sorry if I am not clear.
Of course, /usr/local/JAIL is the new root directory and I have populated it with all the library needed. Code:
# ls -F /usr/local/JAIL/usr/local/lib/ epiphany/ libgcr-ui-3.so.3.0 libgstfft-1.0.so.4.0 libicuuc.so.13.0 libpng16.so.17.5 libaspell.so.17.0 libgcrypt.so.19.5 libgstgl-1.0.so.3.0 libintl.so.6.0 libsecret-1.so.1.0 libatk-1.0.so.21809.2 libgdk-3.so.2200.3 libgstpbutils-1.0.so.4.0 libjavascriptcoregtk-4.0.so.2.5 libsoup-2.4.so.10.1 libatk-bridge-2.0.so.0.0 libgdk_pixbuf-2.0.so.3200.1 libgstreamer-1.0.so.4.0 libjpeg.so.69.0 libsqlite3.so.37.3 libatspi.so.0.2 libgio-2.0.so.4200.7 libgsttag-1.0.so.4.0 libjson-glib-1.0.so.6.0 libtasn1.so.4.0 libbrotlicommon.so.1.1 libglib-2.0.so.4201.0 libgstvideo-1.0.so.4.0 liblzma.so.2.1 libwebkit2gtk-4.0.so.2.5 libbrotlidec.so.1.1 libgmodule-2.0.so.4200.7 libgthread-2.0.so.4200.7 libnettle.so.3.0 libwebp.so.4.0 libcairo-gobject.so.2.0 libgmp.so.10.0 libgtk-3.so.2200.3 libnotify.so.4.0 libwebpdemux.so.2.0 libcairo.so.13.0 libgobject-2.0.so.4200.7 libharfbuzz-icu.so.1.0 liborc-0.4.so.6.0 libwoff2common.so.0.0 libdbus-1.so.11.2 libgpg-error.so.3.16 libharfbuzz.so.12.1 libp11-kit.so.2.0 libwoff2dec.so.0.0 libenchant-2.so.0.0 libgraphite2.so.2.0 libhogweed.so.2.0 libpango-1.0.so.3800.2 libxml2.so.16.1 libffi.so.1.2 libgstallocators-1.0.so.3.0 libhyphen.so.0.0 libpangocairo-1.0.so.3800.1 libxslt.so.4.0 libfribidi.so.3.0 libgstapp-1.0.so.4.0 libiconv.so.6.0 libpangoft2-1.0.so.3800.1 libgck-1.so.2.0 libgstaudio-1.0.so.4.0 libicudata.so.13.0 libpcre.so.3.0 libgcr-base-3.so.3.0 libgstbase-1.0.so.4.0 libicui18n.so.13.0 libpng.so.17.5@ |
|
||||
Things to check:
|
|
|||
I tried your three hints but nothing.
|
|
||||
Another hint. The ld.so.hints file in /var/run also needs to be copied to the chroot structure. After that, the link-editor will find libraries.
But an X application will fail to connect to the X server display. I was able to replicate the issue with xeyes(1), so this is not specific to epiphany. It is not due to a missing pty or drm device node, as I tested with a full set of devices in the chroot's device directory. It is not due to a missing $HOME/.Xauthority file, either. My guess is that this is caused by our fairly recent transition to xenodm(1), which runs a more restrictive Xserver and does not permit network connections, even loopback. But it is just a guess. |
|
|||
for me it works, I just need to the DISPLAY variable to connect to X.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
non-chroot nginx/php-fpm | Oko | OpenBSD Packages and Ports | 1 | 25th December 2015 12:06 PM |
httpd.conf chroot | morophla | OpenBSD General | 4 | 19th April 2015 02:07 PM |
ftp jailing ftp-chroot | pico | OpenBSD Security | 4 | 30th March 2010 06:44 AM |
Chroot web-browsing | Oko | OpenBSD Security | 1 | 29th December 2008 01:37 PM |
scponly not working with chroot | hamba | FreeBSD Security | 3 | 15th May 2008 05:18 PM |