Setting Up a Jail Directory

If you want to run one or more servers from within a chroot jail, the first task you must undertake is to configure the jail directory. In principle, this directory could be anywhere. As an example, this section describes setting up a directory in which you can run a Network Time Protocol (NTP) server. I will describe NTP more fully in Chapter 27, "Miscellaneous Servers."

Note For this description, I used Debian 3.0 running on an ¡Mac as a model.

Distributions often ship with binaries compiled in unique ways, though. For this reason, you may need to perform slightly different steps than I describe to set up NTP to run in a jail if you're using a different system.

Once you've decided where to place the jail directory, create it. For this example, I used /jail/ntp. Type mkdir -p /jail/ntp to create this directory. You must then populate this directory with files that the server will need:

Server Files The most obvious file is the server file itself—ntpd in this case, from /usr/sbin. Typing mkdir -p /jail/ntp/usr/sbin creates the directory. You can then type cp -p /usr/sbin/ntpd /jail/ntp/usr/sbin to copy the original file to the jail.

Support Programs Some servers launch support programs while they run. For instance, many FTP servers rely on Is. You must copy these files to their appropriate locations in the jail directory. Debian's NTP package ships with several support programs in /usr/sbin—a few whose names begin with ntp and one that doesn't (tickadj).

Support Libraries Many programs rely on dynamic libraries. You can learn which libraries a server uses by typing Idd server, where server is the server's filename, complete with path. Debian's ntpd relies on five libraries, which must be copied to an appropriate location within the jail. Some libraries rely on other libraries, so you should repeat this test for every library you copy. Servers with explicit chrootjail support may be able to link with dynamic libraries in their normal directories before they lock themselves in the jail, so this step may not be necessary for such programs.

Configuration Files NTP uses the /etc/ntp.conf file, which must be copied to the jail's etc directory (/jail/ntp/etc in this example). You must also configure the NTP server using this file, as described in Chapter 27. Debian stores its time zone in /etc/timezone, so copying this file is in order, as well.

Log and Temporary Directories NTP keeps log files in /var/lib/ntp, /var/log/ntpstats, and optionally /var/log/ntpd. These directories must exist or you'll be unable to create and examine log files, which can be useful debugging resources. Some servers also create temporary files in /tmp, so you may want to create this directory. If a server must be able to write to a directory, be sure its permissions are set appropriately.

Tip Some servers can log data via syslogd; others log directly to a file. Some give you an option. As a general rule, logging directly to a file is simpler for servers run in a jail, because there's no need to copy syslogd into the jail. In the case of NTP, you can set the logging option with the logfile line in /etc/ntp.conf.

User Database Files Some servers need access to user database files such as /etc/passwd. Such programs often use the Pluggable Authentication Module (PAM), and so they may require that much of your PAM configuration be copied into the jail. As a general rule, servers that need user database files are poor candidates for running in a jail, because they often need access to users' home directories. The NTP server doesn't need any of these files.

Server Data Files Some servers exist to deliver files to clients. For instance, users generally access an FTP server to retrieve files from the computer; and a font server delivers fonts to clients. You must move or copy data files into the jail for such servers to be effective. In some cases, you can use the -bind option to mount to make a virtual copy of a data directory within the chroot environment. For instance, mount --bind /usr/X11R6/lib/X11/fonts /jail/xfs/fonts makes the normal Linux fonts directory tree available to a font server run in a jail at /jail/xfs. This approach has some risks, though, because it effectively gives the jailed server access to some files outside of its jail. The NTP server doesn't deliver data files perse, so there's no need to copy such files to its jail directory.

Miscellaneous Support Files Some servers rely on support files in odd locations. Try running the server and then examining the files it's opened with Isof, as in Isof | grep ntpd. In the case of ntpd, you should see the libraries it uses, possibly some log files, some network connections, and /dev/null.

Device Files Some servers rely on device files, which you must re-create. For instance, ntpd uses/dev/null. You can copy a device file with cp and its -a option, as in cp -a /dev/null /ja i l/ntp/d ev/n u 11. Actually learning what device files, if any, a server uses can be trickier. Using Isof, as when finding miscellaneous support files, can help.

Special Filesystem Files Some servers rely on files in the /proc or other special filesystems. If this is true of your server, you can mount a copy of the special filesystem in the jail by copying the original /etc/fstab entry for the filesystem but using a mount point within the jail. If your distribution uses DevFS, you can do this for device files, but this approach is overkill. It's safer to just copy the one or two device files the server needs. The ntpd server doesn't rely on any files in /proc.

Warning The /proc filesystem and some device files give software extraordinary power over your computer. For this reason, you should be cautious about copying these files or creating a duplicate /proc filesystem in a jail. Sometimes a server doesn't really need these files, although it may benefit from them in some way.

Once you've copied all of these files into your jail, that directory should contain several of the subdirectories and files found on a normal Linux system; essentially, it's like a miniature Linux installation. Precisely how many files you must copy depends on the server. My NTP system uses a dozen files and a similar number of directories and subdirectories. Once run, the server generates a few more files.

0 0

Post a comment