OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[suse-security] /usr/sbin/compartment fails to chroot for non-root user

From: Tom Knight (thomas.knightAHDS.AC.UK)
Date: Wed Jan 21 2004 - 04:01:53 CST

I'm trying to build a chroot jail for ssh for a user (called update), using
/usr/sbin/compartment.

The /etc/passwd entry for user "update" looks like this:
update:x:5000:65534:Update User:/home/update:/bin/compart.jail

/bin/compart.jail reads:

  #!/bin/bash
  strace -v -s 250 -ff -F -qix -o problem /usr/sbin/compartment --chroot
/home/update.jail /bin/bash

(That strace call is just there for debugging, of course...)

* `su update` (the user) fails with the error
  "Error chrooting to /home/update.jail"
* Any non-root user running `/usr/sbin/compartment --chroot
/home/update.jail /bin/bash` fails with the same error.
* Root _can_ run this file, and ends up in jail.

Looking at the file "problem" that strace creates tells me that:
<snip>
[400e10cd] chroot("/home/update.jail") = -1 EPERM (Operation not permitted)
[400e0702] brk(0x804f000) = 0x804f000
[400dae34] write(2, "Error chrooting to /home/update.jail\n", 37) = 37
[400e0702] brk(0x8052000) = 0x8052000
[400ace5d] time([1074677991]) = 1074677991
<snip>

(The rest of the file can be given, of course)

Okay, now if the user tries to simply `chroot /home/update.jail`, he gets
the error:
"chroot: cannot change root directory to /home/update.jail: Operation not
permitted"

The permissions on the directory /home/update.jail look like this:
   0 drwxrwxrwx 7 update nogroup 224 2004-01-21 09:38 .
   0 drwxr-xr-x 9 root root 216 2004-01-20 16:19 ..
   4 -rw------- 1 update nogroup 45 2004-01-21 09:39
.bash_history
   0 drwxr-xr-x 2 update nogroup 240 2004-01-21 08:54 bin
   0 drwxr-xr-x 2 update nogroup 96 2004-01-20 16:00 dev
   0 drwxr-xr-x 2 update nogroup 128 2004-01-21 09:08 etc
   1 drwxr-xr-x 3 update nogroup 568 2004-01-21 09:20 lib
 112 -rw-r--r-- 1 update nogroup 113188 2004-01-21 09:39 problem
   0 drwxr-xr-x 4 update nogroup 96 2004-01-20 15:02 usr

I don't think the update user's home direstory of /home/update makes a
difference, I've changed it without any effect.

I think I could probably use sudo to give update the ability to use chroot,
but then I have a chroot user with slightly higher privs than is ideal.

Any ideas on how to solve this?

Tom.

---------------
Tom Knight
System Administration Officer
Arts & Humanities Data Service
Web: http://www.ahds.ac.uk
Email: tom.knightahds.ac.uk
Tel: (0)20 7928 7371

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here