To minimise the consequences of compromise of a daemon, run publicly-accessible services within a "jail" (from the daemon's point of view) or "sandpit" (from ours). The simplest way to do this is to make use of the chroot command, which wraps the chroot() system call: chroot() changes the root directory of a process (/proc/<procno>/root). Should an intruder manage to gain a shell on a host via a chooted daemon, they will have to break out of the "jail" too in order to set up their own services or cause (other) system damage.
Recipes exist for some daemons/services, notably Apache and Bind, but for most it's a case of following the following guidelines and being prepared for a little trial and error:
strace squid >& /tmp/squid.strace fgrep "Err NOENT" /tmp/squid.strace
Here we outline how to chroot the Squid Web proxy. (Squid actually contains a configuration option to chroot itself upon startup. Nevertheless, this example well illustrates the principles involved.)
N.B. These notes were written from memory, after chrooting Squid and have not been tested (by building a second jail from scratch by following these notes) — so beware! Corrections welcome.
prompt> mkdir /chroot_squidand the directories below this (bin, dev, etc, lib, usr, usr/local...).
ldd /usr/local/squid/sbin/squid libcrypt.so.1 => /lib/libcrypt.so.1 libpthread.so.0 => /lib/libpthread.so.0 libm.so.6 => /lib/libm.so.6 libresolv.so.2 => /lib/libresolv.so.2 libnsl.so.1 => /lib/libnsl.so.1 libc.so.6 => /lib/libc.so.6 /lib/ld-linux.so.2 => /lib/ld-linux.so.2and copy these into the /chroot_squid tree, i.e., to /chroot_squid/lib.
chroot /chroot_squid /usr/local/squid/sbin/squidwill fail.
strace -o /tmp/squid.strace -v -f -r -e trace=open -tt \ /usr/local/squid/sbin/squidand, after a few seconds, kill the strace/squid process and examine the contents of /tmp/squid.strace, e.g.,
fgrep \.so /tmp/squid.stracewhich gives us this list:
/lib/libcrypt.so.1 /lib/libpthread.so.0 /lib/libm.so.6 /lib/libresolv.so.2 /lib/libnsl.so.1 /lib/libc.so.6 /lib/libnss_files.so.2 /lib/libnss_compat.so.2 /lib/libnss_nis.so.2 /lib/libnsl.so.1 /lib/libnss_dns.so.2Copy the extra libraries from /lib to /chroot_squid/lib.
auth_param basic program /usr/local/squid/libexec/pam_authand ldd /usr/local/squid/libexec/pam_auth gives some further libraries to copy to our chroot_squid tree:
libpam.so.0 => /lib/libpam.so.0 libdl.so.2 => /lib/tls/libdl.so.2Supporting PAM configuration and libraries must also be installed:
/chroot_squid/etc/pam.d/squid /chroot_squid/lib/security/pam_ldap.so /chroot_squid/lib/security/pam_unix_auth.so
chroot /chroot_squid /usr/local/squid/sbin/squidbut again it fails. It's time for a brute force:
strace -o /tmp/squid.strace -v -f -r /usr/local/squid/sbin/squidand examining the (tedious) output shows two devices that are required in out chroot jail:
/dev/null /dev/logFor the first ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 2005-03-21 08:39 /dev/nullso
cd /chroot_squid/dev mknod null c 1 3
SYSLOGD="-m 0 -a /chroot_squid/dev/log"which is equivalent to
/sbin/syslogd -m 0 -a /chroot_squid/dev/logWe now have our two required devices:
ls -l /chroot_squid/dev srw-rw-rw- 1 root root 0 2004-06-21 18:08 log crw-rw-rw- 1 root root 1, 3 2004-06-21 18:23 nulland Squid will now start in the chroot jail.
Docs -- examples :
-- Bind-Chroot-Howto (Debian): http://www.falkotimme.com/howtos/debian_bind_chroot/index.php -- apache: http://www.linux.com/article.pl?sid=04/05/24/1450203 -- http://www.l0t3k.org/security/docs/chrooting/: -- 'chroot' an Apache tree with Linux and Solaris (Howto) Published on 2001-02-26 - by Denice Deatrich, ©Denice Deatrich. -- Apache chrooting made simple Published on 2004 - by Ivan Ristic, ©Ivan Ristic. -- Chroot-BIND HOWTO Published on December 01, 2001 - by Scott Wunsch, losurs.org. -- Chroot-BIND8 HOWTO Published on July 01, 2001 - by Scott Wunsch, losurs.org. -- Chrooting daemons and system processes HOW-TO Published on October 21, 2002 - by Jonathan, www.nuclearelephant.com. -- Linux Process Containment A practical look at chroot and User Mode Linux Published on June 03, 2003 - by Paul Lessard, ©SANS Institute. -- Setting up chrooted sftp in linux Published on 2003 - by James Dennis, ©James Dennis.