PS in Jail

Buge · Posted: Fri Apr 16, 2004 8:28 am Post subject: PS in Jail

I have set up a jail on my external (web-)server so users can deploy their modules in the web container running on the server.

I have received a request for users to be able to use ps, but for that I would have to mount proc in the jail (right?). How can I do this in a safe way, so I do not compromise the advantages I have by using the jail?

Thanks in advance,
Buge

mikulus · Tux's lil' helper Joined: 03 Jun 2002 Posts: 77

I found this while searching on Google:

http://worldserver3.oleane.com/bouynot/gabuzomeu/alex/doc/apache/index-en.html

Please take a look at the "My File" link within the web page. It shows that he mounted the /proc file system via script as:

mikulus · Tux's lil' helper Joined: 03 Jun 2002 Posts: 77

Debian security manual also has a similar work-around. This script seems to be better:

http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html

Here is the code:

Buge · Posted: Fri Apr 16, 2004 7:33 pm Post subject:

Thanks for your reply.

I'm not really looking for a script that simply mounts /proc however. In fact, I am not even using apache. Just JBoss ;-)

What I am looking for, is a way to provide ps with whatever it needs from /proc without needing to mount all of proc (if that is even possible?).
Or should I just mount proc anyway?

Thanks,
Buge

mikulus · Tux's lil' helper Joined: 03 Jun 2002 Posts: 77

I think if you want to provide access to ps, you will have to mount the entire /proc. I don't beleive there is a way to partially mount /proc. If you consider this a security risk, my recommendation is -- don't do it. Your users will have to live without ps.
_________________
"Two things are infinite - the universe and human stupidity. And I am not sure about the universe."

neuron · Advocate Joined: 28 May 2002 Posts: 2371

theory solution.

chown root:weirdgroup
mount --bind /proc -t proc /opt/glftpd/proc
chown root:weirdgroup /opt/glftpd/proc
chown root:weirdgroup /opt/glftpd/bin/ps
chmod uo-rwx /opt/glftpd/proc
chmod g+s /opt/glftpd/bin/ps

no idea if it'll work though. Dont know how well it works to chown binds, you might be altering the original dir.

Could be you could put the bind in /opt/glftpd/bla/proc
then chown that and ln -s /proc /bla/proc in the chroot

creese · n00b Joined: 13 Aug 2003 Posts: 58 Location: Folsom, CA

How about setting up xinetd to run the appropriate ps command when a TCP connection to 127.0.0.1:xxx is opened. Then your users can execute the ps command simply by openning a connection and reading.

Chris W · Posted: Sun Apr 18, 2004 12:11 am Post subject:

I'm struggling to think of a single valid reason for a Java-based web application to require the output of the ps command. If you can think a good reason then you might want to look into the vserver extensions to the Linux kernel. Users within a security context can run ps but will only ever see processes belonging to their context. There are issues with the networking of such a solution which may be problematic depending on your environment.

You may be able to selectively mount bits of /proc using the bind option to mount but you need all the process directories in /proc (i.e. pid# directories) which are, of course, a moving target.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein

Buge · Posted: Sun Apr 18, 2004 12:59 pm Post subject:

Thanks for all your replies!

I'm going to take a look at the options whenever I have some free time again, but in the end, it will probably end being no ps for the users. :wink:

Thanks again!

garn · Tux's lil' helper Joined: 10 Sep 2003 Posts: 131

The grsecurity kernel patch lets you restrict /proc as well, so users can't see netstat and such information, as well as ps listing.