Running Programs in the Jail

Two methods of running a program in a chroot jail exist. The easiest method is to rely on an option in the server's configuration file. For instance, the ProFTPd server (http://www.proftpd.net) automatically locks the server in a chroot jail when you use the <Anonymous> directive in its configuration file. Such server packages sometimes ship with preconfigured jail directories. They also may be able to use libraries and configuration files outside of their jails, which can greatly simplify configuration.

Other servers require help to run from a jail, and this help is provided by the chroot command. This command's syntax is as follows:

chroot /new/root server-name [options]

In this command, /new/root is the jail's location and server-name is the path to the server relative to the jail. For instance, to run ntpd, you would type:

# chroot /jail/ntp /usr/sbin/ntpd

This command looks as if it's running the original ntpd, but it's not—you can delete or rename that file and the command will still work. Of course, this assumes that everything about your chroot environment has been configured correctly. Chances are it won't work on your first attempt when configuring a new server. You may need to examine the server's log files and otherwise troubleshoot the server to discover why it's not working.

Tip Configure the server to work outside of the jail before trying to get it to work inside the jail. You can then copy the working configuration files into the jail. If you try to run the server within the jail from the start, you won't be sure if the problems are due to a jail misconfiguration or to more ordinary server problems.

In order to run the server from the jail on a regular basis, you must alter or bypass the server's ordinary startup scripts, as described in Chapter 9, "Bypassing Automatic Configurations to Gain Control." Unfortunately, some distributions' startup scripts use special tools to run servers, such as start-stop-daemon. You may need to copy these tools into the jail, which is an added hassle. Worse, some of these tools rely on the /proc filesystem, which is an unacceptable security risk if the server itself doesn't need this facility. For this reason, you may want to disable the normal SysV startup script and use a local startup script, or you may want to replace the default SysV startup script with a much simpler one of your own devising.

Once your server is running in its jail, you must remember to take extra precautions to maintain it. Most importantly, remember to copy the server's files and support files whenever you upgrade any relevant packages. You may also need to take steps to rotate the server's log files.

Team LIB

1 previous

0 0

Post a comment