Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

CHROOTING TINYPROXY
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
nikolei
n00b
n00b


Joined: 15 Dec 2003
Posts: 37
PostPosted: Mon Dec 15, 2003 10:18 am    Post subject: CHROOTING TINYPROXY Reply with quote
Here I want to show howto run tinyproxy, a small noncaching http/https-poxy-server, within a chroot/jail environment. I will not show how to configure tinyproxy, because the configuration files are selfexplaining and configuration is straightforward (group and usersettings for the service are done in the tinyproxy configuration file, also filter-, and access-settings etc.).

A noncaching http/https-proxy-server makes sense in environments where traffic has to be controlled and/or directed that is not static. Chrooting a service enhances security, because if the service has been compromised, the attacker can only act within the chrooted environment. And in this example, the only program he has excess to and he can execute is tinyproxy itself.

The problem with running services inside jail/chroot environments is to fulfil all dependencies the service needs to run. So the main task is to provide a list of files, needed by the service tinyproxy to function properly. I will show the files, that have to be copied into the directory /var/chroot/tinyproxy, or whatever directory will hold you tinyproxy installation.

contents of /var/chroot/tinyproxy:
Code:
etc/group
etc/ld.so.conf
etc/localtime
etc/nsswitch.conf
etc/tinyproxy/filter
etc/tinyproxy/tinyproxy.conf
lib/ld-2.3.2.so
lib/ld-linux.so.2 -> ld-2.3.2.so
lib/libc-2.3.2.so
lib/libc.so.6 -> libc-2.3.2.so
lib/libnsl-2.3.2.so
lib/libnsl.so.1 -> libnsl-2.3.2.so
lib/libnss_compat-2.3.2.so
lib/libnss_compat.so.2 > libnss_compat-2.3.2.so
lib/libnss_files-2.3.2.so
lib/libnss_files.so.2 -> libnss_files-2.3.2.so
lib/libresolv-2.3.2.so
lib/libresolv.so.2 -> libresolv-2.3.2.so
usr/local/sbin/tinyproxyy
usr/share/tinyproxy/debug.html
usr/share/tinyproxy/default.html
usr/share/tinyproxy/stats.html
var/log/
var/run/


The file etc/group contains only the group nogroup and the file etc/passwd contains only the user tinyproxy with home directory /var/empty and shell /dev/null (don't forget to create a user like tinyproxy first!):

Code:
grep nogroup /etc/group > /var/chroot/tinyproxy/etc/group
grep tinyproxy /etc/passwd > /var/chroot/tinyproxy/etc/passwd


After that, we have to change the ownership of /var/chroot/tinyproxy to tinyproxy and nogroup. This can be done by executing:

Code:
chown -R tinyproxy:nogroup /var/chroot/tinyproxy


In oder to start tinyproxy at chrooted, we have to make some changes to the runscript /etc/init.d/tinyproxy.

contents of /etc/init.d/tinyproxy:
Code:
#!/sbin/runscript

depend() {
    use logger dns
    need net
}

start() {
    ebegin "Starting tinyproxy"
    if [ -f /var/chroot/tinyproxy/var/run/tinyproxy.pid ]; then
        echo "/var/chroot/tinyproxy/var/run/tinyproxy already exists!!!"
        echo "Cannot start service!!!"
    fi
    start-stop-daemon --start --quiet --chroot /var/chroot/tinyproxy --startas \
    /usr/local/sbin/tinyproxy --pidfile /var/chroot/tinyproxy/run/tinyproxy.pid
    eend $?
}

stop() {
    ebegin "Stopping tinyproxy"
    start-stop-daemon --stop --pidfile /var/chroot/tinyproxy/var/run/tinyproxy.pid
    eend $?
}    


Last but not least we have to assign the runscript to a runlevel, i.e.:

Code:
rc-update add tinyproxy default


and execute it:

Code:
/etc/init.d/tinyproxy start


Finished.
Back to top
View user's profile Send private message
wurminator
n00b
n00b


Joined: 18 Nov 2002
Posts: 2
Location: Plön, Germany
PostPosted: Sat Jan 03, 2004 11:24 pm    Post subject: Reply with quote
hi!
after reading of your post i tried to chroot my tinyproxy.
but i have one problem:


Code:

root@gentoo log # /etc/init.d/tinyproxy start
 * Starting tinyproxy...
/usr/sbin/tinyproxy: Unable to find group "nogroup".   [ ok ]



my group looks like this
Code:

root@gentoo root # cat /var/chroot/tinyproxy/etc/group
nogroup::65533:tinyproxy




what is the problem?
Back to top
View user's profile Send private message
floam
Veteran
Veteran


Joined: 27 Oct 2002
Posts: 1067
Location: Vancouver, WA USA
PostPosted: Sat Jan 03, 2004 11:33 pm    Post subject: Reply with quote
Caps :(
_________________
Think about your breathing.
http://floam.sh.nu
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy