[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SOLVED] chrooting a program not designed to be chrooted *is this safe*?
Hrm, it stripped my attachment. Here it is inline.
/* This quick C program wraps around any program or daemon and allows it
to run in a chroot'ed enviornment with reduced priveledges of any gid
uid of choice from the command line.
The excel() function call could use some work for more flexibility.
This code was based on a howto at
http://www.sans.org/rr/linux/daemons.php
The syntax for this command is:
"chrootwrap <chroot dir> <gid> <uid> <command> <single argument -
optional>'
This program must be executed as root.
Ted Goodridge
tedgoodridgejr@acm.org
*/
#include <unistd.h>
#include <sys/types.h>
#include <errno.h>
/* function prototypes */
int main (int argc, char *argv[]);
int printError(int error);
/* ------------------------------- */
int printError(int error) {
/* This function produces the error output based on error. */
switch (error) {
case EPERM : printf ("Operation not permitted\n");
break;
case EACCES: printf("You do not have permission to that path\n");
break;
case ENOTDIR: printf("That is not a directory\n");
break;
case ENOENT: printf("That directory does not exist\n");
break;
case EIO: printf("I/O error!\n");
break;
default:
printf("Unknown error!\n");
} //switch (error)
return 0;
} //printErroR
int main (int argc, char *argv[]) {
int gidlist[] = {atoi(argv[2])};
if(chroot(argv[1])){
printError(errno);
printf("Unable to change the root, exiting.\n");
exit(1);
}//end if
chdir("/");
if(setgid(atoi(argv[2]))) {
printf("unable to setgid!\n");
exit(1);
}
if(setgroups(1,gidlist)) { // also, could use initgroups
printf("unable to set groups!\n");
exit(1);
}
if(setuid(atoi(argv[3]))) {
printf("unable to setuid!\n");
exit(1);
}
if(execl(argv[4],argv[4],argv[5],NULL)){
printError(errno);
exit(1);
} //if execl
return 0;
}