chrootuid-1.3/0040755000176500001450000000000007365637437012075 5ustar jfsjuntachrootuid-1.3/README0100444000176500001450000001600107327562613012735 0ustar jfsjunta@(#) README 1.3 2001/07/25 10:15:32 chrootuid - run command in restricted environment Description =========== Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. In the past I used this program to run the gopher and www (world-wide web) network daemons in a restricted environment: the daemons have access only to their own directory tree, and run under a low-privileged userid. Nowadays I also use it for proxy servers. The arrangement greatly reduces the impact of possible loopholes in network software. Note: for security reasons, chrootuid uses the passwd and group files from *outside* the chroot area. This idea was suggested by Douglas Schales of Texas A&M University, now with IBM Research. This software was initially released in 1993. However, chrootuid is still being used after all those years, so I have released a slightly updated version with a BSD-style license. The examples below are still the original ones. Although the systems don't exist anymore, the same ideas still apply. Wietse Venema wietse@porcupine.org IBM T.J. Watson Research Center Hawthorne, USA Installation ============ The source of the chrootuid program is small and easy to verify. In order to build the program, run "make". If it compiles OK, edit the destination pathnames in the Makefile and do a "make install". Important: chrootuid should *not* be installed set-uid. Using the chrootuid program =========================== The use of the chrootuid program will be illustrated with the gopher service. The examples are easily adapted to www (world-wide web) or any other network service. In the inetd.conf file, make a gopher entry like this: gopher stream tcp nowait root /usr/local/lib/gopherd gopherd If you like to run the daemon under control of my tcp/ip daemon wrapper, use the following entry: gopher stream tcp nowait root /some/where/tcpd /usr/local/lib/gopherd On some systems you will have to omit the "root" field, because all daemons are executed as root by default. The file /usr/local/lib/gopherd should be a shell script that is maintained by the superuser, because inetd runs the script with root privilege. It is this script that runs the real gopher daemon, as an unprivileged process, in a restricted environment. Of course you can specify any other pathname for the script, as long as it is fully controlled by the superuser. #!/bin/sh exec /usr/local/bin/chrootuid /some/where/gopher nobody \ /bin/gopherd -I -l /tmp/gopher.log \ -o /bin/gopherd.conf \ -c -C /gopherdata 70 I'll describe the contents of this script in some detail: - Instead of /usr/local/bin/chrootuid, specify the absolute path to the installed chrootuid executable. The program is executed by root so the path should be fully controlled by the super user. - Instead of /some/where/gopher, specify the absolute path to your gopher directory tree. The gopher daemon will have access only to files within this subtree. This arrangement is similar to anonymous FTP. - The gopher daemon will be executed with the privileges of the "nobody" account. You can specify any unprivileged account, as long as it does not own any files etc. within the gopher directory tree. The account info will be extracted from the regular password database, so there is no need for passwd or group files below the gopher directory tree. - "/bin/gopherd -I -l ..." is the command that will be executed, after access to the file system has been restricted to the gopher directory tree, and after privileges have been reduced to those of "nobody" (or whatever account name you choose). All path names should be absolute with respect to the root of the gopher directory tree. Thus, /bin/gopherd corresponds to /some/where/gopher/bin/gopherd. On systems with shared libraries it will be necessary to set up the appropriate files in the gopher directory tree. The appendix below shows [a slightly edited version of] what we have. It is very similar to what one has to set up for anonymous FTP, except that no passwd or group files are needed. Finally, chrootuid reports all problems to the syslog daemon. Have a look at your syslog.conf file if you don't know where the errors are logged. Appendix: sample restricted gopher subtree ========================================== This example is a slightly edited version of own gopher subtree. Some details (shared libs, DNS, and timezone stuff) are specific to SunOS; hints are given for Ultrix 4.x. The restricted gopher subtree is very similar to the tree used for anonymous ftp, except that no passwd or group files are needed. The example assumes that the tree is located at /some/where/gopher, which will sometimes be referred to as ~gopher for brevity. SunOS notes: the shared libraries in this example are specific to SunOS 4.1.1. What you will need depends on the OS release and on the compiler used to build the gopher executable (do `ldd gopherd' to find out; you'll always need the ld.so runtime linker, though). The example assumes that you are running DNS on top of NIS. Otherwise, you will need a ~gopher/etc/resolv.conf file. Ultrix notes: you will need the following files in ~gopher/etc: hosts, resolv.conf, svc.conf, svcorder. Just copy them from a DNS client host. Other systems: it may be necessary to install a ~gopher/etc/resolv.conf file so that gopherd can find the domain name server (DNS). It is convenient to have a symlink ~gopher/some/where/gopher -> ../.. so that old pathnames keep working after the installation of chrootuid. Important: make sure that no files etc. are owned by the unprivileged account ("nobody" or whatever you chose). The only exception that we permit is the gopherd logfile, because no program depends on it. ~gopher: drwxr-sr-x 2 exp 512 Aug 12 13:33 bin dr-xr-sr-x 2 exp 512 Oct 12 1992 dev drwxr-sr-x 9 exp 512 Aug 9 12:35 gopherdata dr-xr-sr-x 2 exp 512 Apr 22 14:24 some drwxrwsrwt 2 exp 512 Aug 12 13:48 tmp dr-xr-sr-x 4 exp 512 Jan 25 1993 usr ~gopher/bin: -rwx--x--x 1 exp 409600 Aug 12 13:39 gopherd -rw-r--r-- 1 exp 2299 Jun 15 10:12 gopherd.conf ~gopher/dev: crw-rw-rw- 1 exp 3, 12 Oct 12 1992 zero ~gopher/gopherdata: ~gopher/some: dr-xr-xr-x 2 exp 512 Apr 22 14:24 where ~gopher/some/where: lrwxrwxrwx 1 exp 6 Apr 22 14:24 gopher -> ../../ ~gopher/tmp: -rw-r--r-- 1 nobody 220563 Aug 12 14:46 gopher.log ~gopher/usr: dr-xr-xr-x 2 exp 512 Oct 12 1992 lib dr-xr-xr-x 3 exp 512 Jan 21 1993 share ~gopher/usr/lib: -r-xr-xr-x 1 exp 40960 Oct 11 1990 ld.so -r-xr-xr-x 1 exp 516096 Oct 12 1990 libc.so.1.6 ~gopher/usr/share: dr-xr-xr-x 3 exp 512 Jan 21 1993 lib ~gopher/usr/share/lib: dr-xr-xr-x 2 exp 512 Jan 21 1993 zoneinfo ~gopher/usr/share/lib/zoneinfo: -r--r--r-- 1 exp 590 Oct 11 1990 MET -r--r--r-- 1 exp 590 Oct 11 1990 localtime chrootuid-1.3/chrootuid.c0100444000176500001450000000646507327574060014235 0ustar jfsjunta/*++ /* NAME /* chrootuid 1 /* SUMMARY /* run command in restricted environment /* SYNOPSIS /* \fBchrootuid\fR \fInewroot newuser command\fR... /* DESCRIPTION /* The \fBchrootuid\fR command sets up a restricted environment for /* executing \fIcommand\fR. Access to the file system is restricted to /* the \fInewroot\fR subtree; privileges are restricted to those of /* the \fInewuser\fR account (which must be a known account in the /* unrestricted environment). /* The initial working directory is changed to \fInewroot\fR. /* /* \fBchrootuid\fR combines chroot(8) and su(1) into one program, so /* that there is no need to have commands such as /usr/bin/su /* in the restricted environment. /* /* Only the superuser can use the \fBchrootuid\fR command. /* DIAGNOSTICS /* The exit status is 1 when \fBchrootuid\fR has a problem, otherwise /* the exit status is the exit status of \fIcommand\fR. /* SEE ALSO /* chroot(8), su(1) /* DIAGNOSTICS /* Problems are reported to the syslog daemon. /* AUTHOR(S) /* Wietse Venema /* Eindhoven University of Technology /* Department of Mathematics and Computer Science /* Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands /* /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA /* CREATION DATE /* Tue Oct 13 11:37:29 MET 1992 /* LAST MODIFICATION /* Wed Jul 25 11:25:08 EDT 2001 /* VERSION/RELEASE /* 1.3 /*--*/ #ifndef lint static char sccsid[] = "@(#) chrootuid.c 1.3 2001/07/25 11:25:08"; #endif /* System libraries. */ #include #include #include #include #include int main(argc, argv) int argc; char **argv; { struct passwd *pwd; /* * Open a channel to the syslog daemon. Older versions of openlog() * require only two arguments. */ #ifdef LOG_DAEMON (void) openlog(argv[0], LOG_PID | LOG_NDELAY, LOG_DAEMON); #else (void) openlog(argv[0], LOG_PID); #endif /* * Require proper amount of arguments. In all cases of error, exit with * zero status because we have already reported the problem via syslogd. * No need to make inetd complain, too. */ if (argc < 4) { syslog(LOG_ERR, "usage: %s path user command", argv[0]); return (0); } /* Must step into the new subtree. */ if (chdir(argv[1])) { syslog(LOG_ERR, "chdir(%s): %m", argv[1]); return (0); } /* The user must be known in the *unrestricted* universe... */ if ((pwd = getpwnam(argv[2])) == 0) { syslog(LOG_ERR, "%s: user unknown", argv[2]); return (0); } /* initgroups() accesses the group file in the unrestricted universe... */ if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) { syslog(LOG_ERR, "initgroups: %m"); return (0); } endgrent(); /* Do the chroot() before giving away root privileges. */ if (chroot(argv[1])) { syslog(LOG_ERR, "chroot(%s): %m", argv[1]); return (0); } /* Switch group id then user id. */ if (setgid(pwd->pw_gid)) { syslog(LOG_ERR, "setgid(%d): %m", pwd->pw_gid); return (0); } if (setuid(pwd->pw_uid)) { syslog(LOG_ERR, "setuid(%d): %m", pwd->pw_uid); return (0); } /* In case we still have the /etc/passwd file still open. */ endpwent(); /* Run the command and hope for the best. */ (void) execv(argv[3], argv + 3); syslog(LOG_ERR, "%s: %m", argv[3]); return (0); } chrootuid-1.3/chrootuid_license0100444000176500001450000000233307327555732015511 0ustar jfsjunta-----BEGIN PGP SIGNED MESSAGE----- As of July 25, 2001, the text below constitutes the chrootuid license. /* * Copyright 2001 by Wietse Venema. All rights reserved. Some individual * files may be covered by other copyrights. * * This material was originally written and compiled by Wietse Venema at * Eindhoven University of Technology, The Netherlands, in 1990, 1991, 1992, * 1993, 1994 and 1995. * * Later versions are maintained by Wietse Venema at IBM T.J. Watson Research, * Hawthorne, USA, in 2001. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that this entire copyright notice is * duplicated in all such copies. * * This software is provided "as is" and without any expressed or implied * warranties, including, without limitation, the implied warranties of * merchantibility and fitness for any particular purpose. */ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBO17bvtyA8qbVMny5AQF8zgP+LYWTT4axQNy3aAdr7SAFNcoNAjNNa02f Oij2zE2SAjIW/g+dEbIdPewPccXzvSoKgbW9EcIIS8Ix958FIYeAPVkFNywvvn8u ETrpU8KP3SBMdvyk57gLqYDOr+LQvqD6TkkfND5p0++LUPGR/31qjBpRZDSQngWZ uCuydXF4tec= =EpPk -----END PGP SIGNATURE----- chrootuid-1.3/chrootuid.10100444000176500001450000000255507327574003014144 0ustar jfsjunta.TH CHROOTUID 1 .ad .fi .SH NAME chrootuid \- run command in restricted environment .SH SYNOPSIS .na .nf \fBchrootuid\fR \fInewroot newuser command\fR... .SH DESCRIPTION .ad .fi The \fBchrootuid\fR command sets up a restricted environment for executing \fIcommand\fR. Access to the file system is restricted to the \fInewroot\fR subtree; privileges are restricted to those of the \fInewuser\fR account (which must be a known account in the unrestricted environment). The initial working directory is changed to \fInewroot\fR. \fBchrootuid\fR combines chroot(8) and su(1) into one program, so that there is no need to have commands such as /usr/bin/su in the restricted environment. Only the superuser can use the \fBchrootuid\fR command. .SH DIAGNOSTICS .ad .fi The exit status is 1 when \fBchrootuid\fR has a problem, otherwise the exit status is the exit status of \fIcommand\fR. .SH SEE ALSO .na .nf chroot(8), su(1) .SH DIAGNOSTICS .ad .fi Problems are reported to the syslog daemon. .SH AUTHOR(S) .na .nf Wietse Venema Eindhoven University of Technology Department of Mathematics and Computer Science Den Dolech 2, P.O. Box 513, 5600 MB Eindhoven, The Netherlands IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA .SH CREATION DATE .na .nf Tue Oct 13 11:37:29 MET 1992 .SH LAST MODIFICATION .na .nf Wed Jul 25 11:25:08 EDT 2001 .SH VERSION/RELEASE .na .nf 1.3 chrootuid-1.3/Makefile0100444000176500001450000000060205432447433013512 0ustar jfsjunta# @(#) Makefile 1.2 93/08/12 16:09:29 FILES = README Makefile chrootuid.c chrootuid.1 CFLAGS = -O all: chrootuid chrootuid.1 chrootuid: chrootuid.c $(CC) $(CFLAGS) -o $@ $? #chrootuid.1: chrootuid.c # srctoman $? >$@ shar: $(FILES) @shar $(FILES) install: chrootuid.1 chrootuid cp chrootuid /usr/local/bin cp chrootuid.1 /usr/local/man/man1 clean: rm -f *.o core chrootuid chrootuid-1.3/chrootuid0100755000176500001450000001452207365633750014016 0ustar jfsjuntaELF4 4 (444$ $$ /lib/ld-linux.so.2GNU     Ą'"HԄ\*#"q*k.B$7c4D{"!Txd- St 7libc.so.6chroot__cxa_finalizeendpwent__deregister_frame_infochdirinitgroupsendgrentsetgidopenlogexecvsysloggetpwnam_IO_stdin_used__libc_start_mainsetuid__register_frame_info__gmon_start__GLIBC_2.1.3GLIBC_2.0si ii @  $( , 0 48<US[d0"[5%%h% h%h%h%h %h(% h0%$h8p%(h@`%,hHP%0hP@%4hX0%8h` %<hh1^PTRhhQVhsUS[Dt[ÉU=̘u>ȘPȘСȘ8ut h ̘ÐUUĄthDh KÐUÍUVS]u jj 66h$vVtvh@vtÃuvhN&s 3} h_>vSt vhn]s t s h}>su!F Pv zv h shjK1e[^Í&'US=t Ѓ;u[UÍt&US[[usage: %s path user commandchdir(%s): %m%s: user unknowninitgroups: %mchroot(%s): %msetgid(%d): %msetuid(%d): %m%s: %m@(#) chrootuid.c 1.3 2001/07/25 11:25:08  (܂ pooo$ʄڄ *:JZjzGCC: (GNU) 2.95.4 20010810 (Debian prerelease)GCC: (GNU) 2.95.4 20010810 (Debian prerelease)GCC: (GNU) 2.95.4 20011006 (Debian prerelease)GCC: (GNU) 2.95.4 20011006 (Debian prerelease)GCC: (GNU) 2.95.4 20011006 (Debian prerelease)GCC: (GNU) 2.95.4 20010810 (Debian prerelease)01.0101.0101.0101.0101.0101.01.symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.got.rel.plt.init.plt.text.fini.rodata.data.eh_frame.dynamic.ctors.dtors.got.sbss.bss.comment.note# 1((7  ?܂Go$To0c l p u%{P`   $$    HDD DD D d x P8 h(܂      $DDԅ ԅ ԅ ' 2Ș6D̘P f yP DX | И'Ї Ї     )$Ą'"<CԄYk q#"*. $74D2 D  !{"=TQd-eDl\ t 7Letextgcc2_compiled.call_gmon_startcrtstuff.cp.3__DTOR_LIST__completed.4__do_global_dtors_aux__EH_FRAME_BEGIN__fini_dummyobject.11frame_dummyinit_dummyforce_to_data__CTOR_LIST____do_global_ctors_aux__CTOR_END____DTOR_END____FRAME_END__chrootuid.csccsid_DYNAMIC__register_frame_info@@GLIBC_2.0_fp_hwinitgroups@@GLIBC_2.0setgid@@GLIBC_2.0_init__deregister_frame_info@@GLIBC_2.0syslog@@GLIBC_2.0execv@@GLIBC_2.0_startchdir@@GLIBC_2.0openlog@@GLIBC_2.0__bss_startmain__libc_start_main@@GLIBC_2.0data_start_fini__cxa_finalize@@GLIBC_2.1.3endpwent@@GLIBC_2.0getpwnam@@GLIBC_2.0_edata_GLOBAL_OFFSET_TABLE__end_IO_stdin_usedendgrent@@GLIBC_2.0__data_startsetuid@@GLIBC_2.0__gmon_start__chroot@@GLIBC_2.0