Frequently Asked Questions

Dec 14, 2019 - 01:57pm

 [F] Frequently Asked Questions  / Installation, Configuration and Related  / Installation and Upgrades  / UNIX  /

Running WebCrossing in a chroot jail.

Rate This FAQ
 (Not yet rated)

Created On: 1 Feb 2002 3:20 pm
Last Edited: 1 Feb 2002 3:33 pm

Question Email This Printer Friendly

Web Crossing Inc. recommends that your Web Crossing server be run as root in most situations. Generally root is required in order to gain access to ports below 1024 (required for HTTP, POP, SMTP, NNTP, etc).

However if this is not possible, the following outlines how the chroot command could be used to place WebCrossing in a chroot jail. Solaris will be used as an example operating system within this document, but the details described can easily be adapted to any other UNIX variant.

DISCLAIMER

If you chroot webx, you are responsible for any webx related problems that may be caused by incorrect or improperly set permissions, etc. Technical Support cannot help you debug this!

The procedures listed below have not been thoroughly tested and WebCrossing does not support or guarantee its use in any way whatsoever nor do we take responsibility for an harm that may come from your use of the following. In short, USE AT YOUR OWN RISK and don't complain to us if this does not work

Answer

Base chroot Jail Requirements

The chroot(2) system call changes the position of the root directory. For applications to function correctly, this new root directory must contain some base operating system primitives. Think of the contents of the chroot jail as a complete mini-operating system/file system in itself. In particular, a subset of system libraries, configuration files, and device files, along with any application-specific files must be available in the jail. These files should be copied into the jail, or a hard link could be created if the two directories reside on the same file system.

The following commands provide an example of creating the base jail directory (/var/chroot), copying the standard C library (/usr/lib/libc.so.1) into the jail and creating the null device file:

# mkdir -p /var/chroot/usr; mkdir /var/chroot/dev; mkdir -p /var/chroot/bin
# chown -R root:root /var/chroot; chmod 755 -R /var/chroot
# cp -p /usr/lib/libc.so.1 /var/chroot/usr/lib/libc.so.1
# cp -p /bin/sh /var/chroot/bin/sh # cp -p /bin/ls /var/chroot/bin/ls
# mknod /var/chroot/dev/null c 13 2

A minimum base set of files and devices are typically required within any chroot jail. These will vary for each different UNIX variant, but the following Solaris base should be applicable to most systems:

The NULL device file /dev/null
The 'zero' device file /dev/zero
The TCP/IP protocol device file /dev/tcp
The UDP/IP protocol device file /dev/udp
Standard C library /usr/lib/libc.so.1
Runtime linker /usr/lib/ld.so.1
Dynamic linker library /usr/lib/libdl.so.1
Network services library /usr/lib/libnsl.so.1
TCP/IP networking library /usr/lib/libsocket.so.1
DNS services shared object /usr/lib/nss_dns.so.1
File services shared object /usr/lib/nss_files.so.1
Time zone database /usr/share/lib/zoneinfo and /etc/TIMEZONE
Hosts database /etc/hosts and /etc/inet/hosts
Services database /etc/services
Protocols database /etc/protocols
Name services configuration /etc/nsswitch.conf
Resolver configuration /etc/resolv.conf
Temporary storage directories /var, /var/tmp, /var/run and /tmp

The chroot jail should be owned by root with a permissions mask of 755. The permissions of each file and directory described above should be identical to those within the standard base operating system.

Determining chroot Jail Inclusions

Most non-trivial applications will require more than the base jail set outlined above. Determining the entire set of resources required by an application is more an art than an exact science.

The WebCrossing server (installed into /opt/webx) will be used to illustrate the procedure.

The base binaries and configuration files of the WebCrossing tree (/opt/webx) should be copied into the chroot jail with permissions preserved. For example:

# mkdir -p /var/chroot/opt/webx
# cp -p -R /opt/webx/* /var/chroot/opt/webx

The libraries that an application is linked against can be displayed by using the ldd(1) (Solaris, Linux, etc.) or chatr(1) (HP-UX) command. ldd(1) may also be used on libraries to determine the dependencies of each library. Example output using ldd(1) against the WebCrossing's webx-go executable is:

# ldd webx-go
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2

The libraries displayed as dependencies by ldd(1) or chatr(1) should be copied into the appropriate relative directory within the jail.

However, this method does not cover shared objects that are dynamically loaded by an application at run time. To discover which files and libraries are opened at run-time, the operations of an application can be captured with a system call trace.

A system call trace is performed with the truss(1) (Solaris), strace(1) (Linux), tusc(1) (HP-UX 11.X), trace(1) (HP-UX 10.X), or ktrace (BSD) command. Readers familiar with C programming should have no difficulty in following a system call trace.

An example of starting up the WebCrossing process in the base operating system is as follows:

# truss -f webx-go 2>&1 | grep open | more

...
6642: open(?/usr/share/lib/zoneinfo/US/Pacific?, O_RDONLY) = 3
...

The above line indicates that webx-go opens the file /usr/share/lib/zoneinfo/US/Pacific. This file needs to be copied in order for WebCrossing to function correctly. In addition to performing system call tracing, some initial application analysis can assist in getting things right the first time.

Putting It All Together:

You will need to start WebCrossing using a shell, so make sure that you copy /bin/ls and /bin/sh into /var/chroot/bin and get the required resources in place for them also. When all required resources are installed into the jail, it is time to test WebCrossing in the chroot environment. This can be done by executing the following commands:

# /usr/sbin/chroot /var/chroot /bin/sh
# cd webx
# ./make-run

If there are problems at this point, a system call trace will again be beneficial in displaying what resource is missing:

# truss -f /usr/sbin/chroot /var/chroot /opt/webx/webx-go

Study the output provided from your system call tracer and look for errors.

As stated in the disclaimer above these procedures have not been thoroughly tested. This document is meant to be used as a guideline for experimental purposes only.

References

 SysAdmin Magazine (The bulk of this document was taken from an article in the August 2001 issue by Liam Widdowson and edited to focus on chrooting WebCrossing) How to break out of a chroot() jail: http://www.bpfh.net/simes/computing/chroot-break.html How to eliminate the ten most critical Internet security threats: http://www.sans.org/topten.htm