DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th March 2009
nullpointer nullpointer is offline
New User
 
Join Date: Mar 2009
Location: manila
Posts: 4
Thanked 0 Times in 0 Posts
Default chrooting bitchx

Hi,

Im having a problem chrooting bitchx
I run ldd to list object dependecies that bitchx are using

ldd `whereis BitchX`

/usr/local/bin/BitchX
/usr/lib/libcrypto.so.14.0
/usr/lib/libm.so.3.0
/usr/lib/libncurses.so.10.0
/usr/lib/libssl.so.48.0
/usr/libexec/ld.so

and copied it (as root) to my chrooted directory, cp /dev/MAKEDEV to chroot dev directory,
change to /chrooted/dev and execute sh MAKEDEV all
then

$ sudo chroot /chrooted/ /bin/sh

but when I try to run BitchX. Im still having some error

# BitchX
Version (BitchX-1.0c18)
Process[17200]
Using terminal type [vt220]
setupterm failed: -1
so we'll be running in dumb mode...

I think I've created all the dependencies and all the dev files.
any suggestions? did I miss something? thank's in advance!
Reply With Quote
  #2   (View Single Post)  
Old 20th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

My guess #1: the mount point for /chrooted is set nodev or nosuid.

My guess #2: the application attempts to mknod(2), which isn't permitted in a chrooted environment.

Last edited by jggimi; 20th March 2009 at 02:32 AM.
Reply With Quote
  #3   (View Single Post)  
Old 20th March 2009
nullpointer nullpointer is offline
New User
 
Join Date: Mar 2009
Location: manila
Posts: 4
Thanked 0 Times in 0 Posts
Default

I mount the chrooted directory without nodev and nosuid so I guess it has something to do with mknod... gheee!... Its harder than I thought.. I think I have to google more how to jail most of my programs,thank's for d reply.
Reply With Quote
  #4   (View Single Post)  
Old 20th March 2009
nullpointer nullpointer is offline
New User
 
Join Date: Mar 2009
Location: manila
Posts: 4
Thanked 0 Times in 0 Posts
Default

I just want to update my post.. I solved my problem.. I run systrace and found out that I have to copy /usr/share/misc/terminfo.db to my chooted directory. It work..
Reply With Quote
  #5   (View Single Post)  
Old 20th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Great!

----

I have used chrooted environments quite a lot. Not for security, except for the default chrooted Apache or chrooted BIND.

Instead, I've used them as inexpensive ways to get high-performance virtualization -- via a 100% virtualized filesystem, of course. Unfortunately, imposed limitations on chroot for security, such as mknod(2) restrictions, can render chrooted environments unworkable for any number of applications.
Reply With Quote
  #6   (View Single Post)  
Old 21st March 2009
IIMarckus IIMarckus is offline
Port Guard
 
Join Date: Aug 2008
Posts: 13
Thanked 0 Times in 0 Posts
Default

What are the advantages of chrooting bitchx or another IRC client? Security?
Reply With Quote
  #7   (View Single Post)  
Old 21st March 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by IIMarckus View Post
Security?
Yes. chroot(8) effectively changes the root directory such that the "real" root directory, configuration files, libraries, & binaries not present in the chroot'ed directory are completely hidden/inaccessible/protected from a process running in the chroot'ed directory.

Given the shenanigans & holes exploited in the IRC world, chroot(8) can help secure a client's system from malicious intent.
Reply With Quote
  #8   (View Single Post)  
Old 21st March 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 733
Thanked 36 Times in 32 Posts
Default

I was watching with the great interest the above discussion and I have couple questions of my own which might be little bit OT. Can somebody summery in couple of sentences principal differences of FreeBSD jails and OpenBSD chroot. I noticed that sysjail can be still compiled with patches on OpenBSD 4.4. I know that sysjail has documented vulnerabilities. Is the project completely abolished now? What were potential benefits of sysjail over chroot?

Thank you
OKO
Reply With Quote
  #9   (View Single Post)  
Old 21st March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Here's one perspective on naked chroot:
  • The only thing virtualized is the filesystem.
  • Everything else remains exactly the same. This includes the process tree, memory access, and system calls.
  • There are some restrictions on filesystem activity that block the use of features which might allow a surreptitious "breaking out" of the chroot.
Jails add process policy restrictions that either virtualize the chrooted processes, or limit their capabilities. The no-longer-active "sysjail" technique developed for OpenBSD used systrace(4) for this purpose.
Reply With Quote
Old 21st March 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 733
Thanked 36 Times in 32 Posts
Default

Can you now put into context for me the following

http://www.undeadly.org/cgi?action=a...20090201164147

I am first and foremost interesting in chroot and jails as additional security tools.
I am not interested in virtualization at all.
Reply With Quote
Old 21st March 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Logical Domains are an architectural feature of some UltraSPARC systems, basically a hardware assisted virtualization.. totally unrelated to this chroot/sysjail discussion.

As mentioned by jggimi, sysjail was an effort to create a FreeBSD jail-like environment for OpenBSD/NetBSD using existing frameworks, chroot(2) and systrace(4).

A long standing assumption has been that systrace is completely secure, it clearly isn't.. but it can be used for temporarily restricting access to specific system calls and resources.

For example, it might stop an evil program for doing evil things.. presuming the program isn't aware of a systrace vulnerability.

Quote:
Originally Posted by http://sysjail.bsd.lv/
IMPORTANT: Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace(4), are vulnerable to exploitation. Details available here. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace(4) tools, including systrace(1)) for security purposes. sysjail is no longer maintained.
That said, it is still part of the OpenBSD base system.. and many others.. it can still be useful in some situations.. depending on how you use it.

FreeBSD jails have a lot of kernel support, the architecture is different.. presumably this is all documented if you're willing to search for it.

http://en.wikipedia.org/wiki/FreeBSD_jail
http://en.wikipedia.org/wiki/Systrace
http://sysjail.bsd.lv/

I hope that clears some things up, UltraSPARC LDOMS are a possibly similar but different topic.
Reply With Quote
Old 21st March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Solaris "Zones" are jails, as I understand them -- the Global Zone is the native userland, other zones are jails.

Unfortunately, Sun has made Zones an intentional obfuscation -- as they not only offer some jail techniques, they also provide some hardware virtualization management interfaces on those Sun platforms that support hardware virtualization.

Sun, by the way, has had hardware virtualization capability since they acquired the SGI division of Cray that made the CS64000, re-badged by Sun as the E10000.

Hardware virtualization has been around since the mid-1980s on large scale servers. It began, I believe, with Amdahl Corporation's Multiple Domain Facility (MDF) for their System/370 compatible mainframes.

Last edited by jggimi; 21st March 2009 at 04:53 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
BitchX build failure mahoney FreeBSD Ports and Packages 1 8th May 2008 07:48 AM


All times are GMT. The time now is 06:48 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick