| View previous topic :: View next topic |
| Author |
Message |
luca
Guru
Joined: 11 Feb 2004
Posts: 374
|
 Posted: Tue Aug 15, 2006 9:54 am Post subject: How To run apps in a chrooted environment (SOLVED) |
 |
|
Hi All
I was wondering how to run programs, for example apache, in an chrooted environment and does this guaranty this chrooted-tool cannot harm the system ?
Thnx a lot
LuCa
Last edited by luca on Wed Aug 16, 2006 6:29 am; edited 1 time in total |
|
| Back to top |
|
 |
chrismortimore
l33t
Joined: 03 Dec 2005
Posts: 721
Location: Edinburgh, UK
|
| Posted: Tue Aug 15, 2006 10:00 am Post subject: |
|
|
I'd imagine you'd just run: chroot [CHROOT LOCATION] /etc/init.d/apache2 start
Anything ran in chroot only has access to anything under the chroot directory, because chroot just changes the root directory to what it is told, and you can't go up a level from the new root.
_________________
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB 7200rpm Maxtor DiamondMax 10, 2x320GB WD 7200rpm Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB 5400rpm IBM TravelStar, Nvidia 5200Go 64MB |
|
| Back to top |
|
|
luca
Guru
Joined: 11 Feb 2004
Posts: 374
|
| Posted: Tue Aug 15, 2006 10:35 am Post subject: |
|
|
thx
I tried something very simple (which didn't work):
I've a perl script that shows the output from 'ls -al'
So I did as you suggested (as root): | Code: | | chroot /tmp/test_dir /tmp/my_test_tool.pl |
the output ischroot: cannot run command `/tmp/my_test_tool.pl': No such file or directory
So my question is why can't this perl program run, what should I change to get this working ?
thnx
LuCa
ps just for those who wondered what my perl script looks like | Code: | #! /usr/local/bin/perl -l
use warnings;
use strict;
my @a = `ls -al` ;
print for @a ;
|
|
|
| Back to top |
|
|
chrismortimore
l33t
Joined: 03 Dec 2005
Posts: 721
Location: Edinburgh, UK
|
| Posted: Tue Aug 15, 2006 11:08 am Post subject: |
|
|
For ease, lets say your chroot environment is at /mnt/chroot.
Is your /tmp/my_test_tool.pl actually at /tmp/my_test_tool.pl or is it at /mnt/chroot/tmp/my_test_tool.pl?
_________________
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB 7200rpm Maxtor DiamondMax 10, 2x320GB WD 7200rpm Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB 5400rpm IBM TravelStar, Nvidia 5200Go 64MB |
|
| Back to top |
|
|
luca
Guru
Joined: 11 Feb 2004
Posts: 374
|
| Posted: Tue Aug 15, 2006 11:14 am Post subject: |
|
|
| both the dir and file are inside /tmp |
|
| Back to top |
|
|
chrismortimore
l33t
Joined: 03 Dec 2005
Posts: 721
Location: Edinburgh, UK
|
| Posted: Tue Aug 15, 2006 11:17 am Post subject: |
|
|
Out of curiousity, post the output of "ls /tmp/test_dir/". I'm not fully convinced I'm understanding how your system is set up, and it'll tell me.
_________________
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB 7200rpm Maxtor DiamondMax 10, 2x320GB WD 7200rpm Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB 5400rpm IBM TravelStar, Nvidia 5200Go 64MB |
|
| Back to top |
|
|
luca
Guru
Joined: 11 Feb 2004
Posts: 374
|
| Posted: Tue Aug 15, 2006 11:55 am Post subject: |
|
|
I just copied the file my_test_tool.pl into it so thats the only thing inside!
Do I need more ?
LuCa |
|
| Back to top |
|
|
chrismortimore
l33t
Joined: 03 Dec 2005
Posts: 721
Location: Edinburgh, UK
|
| Posted: Tue Aug 15, 2006 12:28 pm Post subject: |
|
|
Yeah, a working gentoo system in there. I get the impression you don't know what chroot actually does.
This guide will take you through making a chroot environment: http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2#doc_chap2
I know it says it's for AMD64, but that actually doesn't matter. Just ignore the bit at the end about installing "setarch" and don't put "linux32" in front of the "chroot" command in the setup section of the guide.
_________________
Desktop: AMD Athlon64 3800+ Venice Core, 2GB PC3200, 2x160GB 7200rpm Maxtor DiamondMax 10, 2x320GB WD 7200rpm Caviar RE, Nvidia 6600GT 256MB
Laptop: Intel Pentium M, 512MB PC2700, 60GB 5400rpm IBM TravelStar, Nvidia 5200Go 64MB |
|
| Back to top |
|
|
chrbecke
Guru
Joined: 12 Jul 2004
Posts: 598
Location: Berlin - Germany
|
| Posted: Tue Aug 15, 2006 12:36 pm Post subject: Re: How To run apps in a chrooted environment |
|
|
| luca wrote: |
I was wondering how to run programs, for example apache, in an chrooted environment and does this guaranty this chrooted-tool cannot harm the system |
WRT apache, you might want to see this HOWTO.
To run other programs in a chroot jail, you will have to copy all files needed to run the program into the dir you want to chroot to.
e.g. to run a chrooted bash, you had to do the following:
| Code: |
mkdir /tmp/mychroot
mkdir /tmp/mychroot/lib
mkdir /tmp/mychroot/bin
cp /lib/ld-linux.so.2 /lib/libc.so.6 /lib/libdl.so.2 /lib/libncurses.so.5 /tmp/mychroot/lib
cp /bin/bash /tmp/mychroot/bin
chroot /tmp/mychroot/ /bin/bash |
Now you've got a chrooted bash. But you can't do much with it, because you haven't got any tools in the chroot: try from the chrooted bash, and it will fail because you haven't got the ls command. So, to have a working "ls" in your chroot, you have to copy /bin/ls and all needed libraries over to the chroot dir... and so on.
You can find out which libraries a command needs by running (not in the chroot): | Code: | | ldd $(which $command) |
(replace $command with whatever command you want, e.g. "ls").
You don't necessarily need a full-blown gentoo system in the chroot as chrismortimore says, it depends on the programs you want to run in the chroot. |
|
| Back to top |
|
|
luca
Guru
Joined: 11 Feb 2004
Posts: 374
|
| Posted: Tue Aug 15, 2006 1:38 pm Post subject: |
|
|
Ok, that was the missing information!
Is this something people often do, to run apache in a chrooted environment ?
It works great, thnx you all !!
LuCa |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Tue Aug 15, 2006 2:24 pm Post subject: Re: How To run apps in a chrooted environment |
|
|
| chrbecke wrote: | You can find out which libraries a command needs by running (not in the chroot): | Code: | | ldd $(which $command) |
(replace $command with whatever command you want, e.g. "ls"). |
off topic, but might be usefull. This piece of bash finds and copy's over the binary and all required libraries | Code: |
function copybinlib {
# usage:
# copybinlib binarysrc binarydst libdstdir
#
# copy's the given binary to the specified destination,
# finds out what libs are dynamicaly needed, and copy's those the libdstdir
echo " $1"
cp "$1" "$2"
for lib in $( ldd "$1" | perl -ne 'next unless s{^\s*(?:([-a-zA-Z0-9_.+]+) => )?([-a-zA-Z0-9_.+/]+) \(0x[0-9a-fA-F]+\)$}{$2}; print;' ); do
echo " $lib"
cp "$lib" "$3"
done
}
|
then run as shown in the comment: | Code: | | copybinlib /bin/ls /mnt/chroot/bin/ /mnt/chroot/lib/ |
|
|
| Back to top |
|
|
luca
Guru
Joined: 11 Feb 2004
Posts: 374
|
| Posted: Tue Aug 15, 2006 2:33 pm Post subject: |
|
|
| nice, thx!! |
|
| Back to top |
|
|
|
Networking & Security
