[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chrooting a program not designed to be chrooted

To: "'Ted Goodridge, Jr'" <tedgoodridgejr_(_at_)_acm_(_dot_)_org>, <misc_(_at_)_openbsd_(_dot_)_org>
Subject: Re: chrooting a program not designed to be chrooted
From: "Dom De Vitto" <dom_(_at_)_DeVitto_(_dot_)_com>
Date: Thu, 23 Jan 2003 19:17:09 -0000
Organization: Secure Technologies Ltd.

Ted,
If you go back to basics being root just to bind to <1024 is daft.

Just bind to a non-priv port, as a non-priv user in a chroot jail,
then NAT traffic to the priv port to the unpriv one & vice versa.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Ted Goodridge, Jr
Sent: Wednesday, January 22, 2003 10:01 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: chrooting a program not designed to be chrooted

If I have to be the superuser to activate the chroot, how can I get this
program to run such as bind or chrooted apache?  (with the user being
"bind" and not root).

That really is the crux of what I'm trying to do.
Ted

----- Original Message -----
From: "Ted Goodridge, Jr" <tedgoodridgejr_(_at_)_acm_(_dot_)_org>
To: <misc_(_at_)_openbsd_(_dot_)_org>
Sent: Wednesday, January 22, 2003 12:56 PM
Subject: chrooting a program not designed to be chrooted


I'm running an eggdrop (soon to be multiple eggdrops) from my openbsd
server.  Occasionally these things are exploited remotely, so I want to
put it in a chroot.

I followed the recepie at http://www.sans.org/rr/linux/daemons.php , got
the required libs etc in the soon to be chroot'd directory.

The problem I'm having is launching the initial chroot without beign the
superuser, and running the process as user "eggy" (a non-priveledged
user). Does this require a patch to eggdrop?  Can this be done with
shell commands, or is a C program necessary (as per the recepie above?)

In principle, I want to run any program that might be exploited in its
own chroot.  Any pointers?  I can post settings/files as necessary.

Ted

Follow-Ups:
- Re: chrooting a program not designed to be chrooted
  - From: Henning Brauer

Prev by Date: resident memory
Next by Date: Re: Controlling users and resources with OpenBSD isakmpd
Previous by thread: Re: resident memory
Next by thread: Re: chrooting a program not designed to be chrooted
Index(es):
- Date
- Thread

Visit your host, monkey.org