chroot

By OK -


Chroot

Another further step in protecting our name server is working in a chroot environment. To better understand this, let’s see briefly what a chroot environment is.
A chroot is an operation that changes the apparent root directory of the current process, so that this program can’t access files that reside below its working directory. Let’s see an example.
We log on to our server and create a new folder. Later, this folder will become the apparent root directory.
1   [root@delphos ∼]# mkdir -p /new/root
We can try to chroot the user session with the chroot command.
1   [root@delphos ∼]# chroot /new/root/
2   chroot: failed to run command /bin/bash: No such file or directory
As we see, we have to access /bin/bash to chroot the user session. So we create a bin subfolder and copy the bash file in it.
1   [root@delphos ∼]# mkdir /new/root/bin
2   [root@delphos ∼]# cp /bin/bash /new/root/bin/
However, we’re not done yet. If we try to run chroot again, we get the same error.
1   [root@delphos ∼]# chroot /new/root/
2   chroot: failed to run command /bin/bash: No such file or directory
This is due to the fact that the bash executable file is dynamically linked and has to access a series of libraries. We can find out what libraries it needs by using the ldd command. Note: Libraries will vary, depending on the exact version of the operating system.
1   [root@delphos ∼]# ldd /bin/bash
2           linux-vdso.so.1 =>         (0x00007fffc57fe000)
3           libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f76faeb3000)
4           libdl.so.2 => /lib64/libdl.so.2 (0x00007f76facaf000)
5           libc.so.6 => /lib64/libc.so.6 (0x00007f76fa8ed000)
6           /lib64/ld-linux-x86-64.so.2 (0x00007f76fb0f1000)
So, we create a new subfolder and copy the required files.
1   [root@delphos ∼]# mkdir /new/root/lib64
2   [root@delphos ∼]# cp /lib64/libtinfo.so.5 /new/root/lib64/
3   [root@delphos ∼]# cp /lib64/libdl.so.2 /new/root/lib64/
4   [root@delphos ∼]# cp /lib64/libc.so.6 /new/root/lib64/
5   [root@delphos ∼]# cp /lib64/ld-linux-x86-64.so.2 /new/root/lib64/
Now we can execute chroot.
1   [root@delphos ∼]# chroot /new/root/
2   bash-4.2#
If we type “pwd,” the system will tell us that we are already at the root directory, and we won’t be able to access other folders outside of the chroot environment.
1   bash-4.2# pwd
2   /
3   bash-4.2# cd ..
4   bash-4.2# pwd
5   /
This is an extremely simple chroot environment meant only as a proof of concept. If we try, for example, to list the directory contents with the ls command, we’ll get an error, because we haven’t copied the ls file and the libraries it depends on to run. Besides, we should also have created some other folders, such as a dev subfolder, etc.
Once we’ve completed this little experiment, we leave the chroot environment and remove the folder we created.
1   bash-4.2# exit
2   exit
3   [root@delphos ∼]# rm -rf /new/root/
As a chrooted service can’t access folders or files outside of its home directory, it is considered a good practice. Thus, if the named service gets compromised, it will only be able to access the content of its home directory.
If we want the named service to execute in a chroot environment, we could do it manually, as we have done before with our “proof of concept.” But, fortunately, there is a much easier way. We only need to install the bind-root package.
1   [root@delphos ∼]# yum install bind-chroot
Right after installing the package, we see that a new subfolder has been created below /var/named. This subfolder contains all the necessary files and folders for named to work properly.
1   [root@delphos ∼]# ls -l /var/named/chroot/
2   total 0
3   drwxr-x---. 2 root  named 41 Sep 26 12:02 dev
4   drwxr-x---. 4 root  named 44 Sep 26 12:02 etc
5   drwxr-x---. 3 root  named 18 Sep 26 12:02 run
6   drwxrwx---. 3 named named 18 Sep 26 12:02 usr
7   drwxr-x---. 5 root  named 48 Sep 26 12:02 var
Right after installing bind-root, the named service will already be running in a chroot environment in CentOS 6.
However, in CentOS 7, we still have to start this service.
1   [root@delphos ∼]# systemctl start named-chroot
We must make sure that the service starts automatically every time the system boots.
 1   [root@delphos ∼]# systemctl enable named-chroot
 2   ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-\
 3   user.target.wants/named-chroot.service'

Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more