473,287 Members | 1,926 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,287 software developers and data experts.

Exit from os.chroot()

Hello! I'm writing a small script and I need to call the os.chroot function. The problem is, a few lines below I need to call a program in /usr/bin. Is there a way to exit from the chroot, or to limit the chroot to a single function or thread?
Thanks in advance

Jun 27 '08 #1
4 3312
support.intranet wrote:
Hello! I'm writing a small script and I need to call the
os.chroot function. The problem is, a few lines below I need to
call a program in /usr/bin. Is there a way to exit from the
chroot, or to limit the chroot to a single function or thread?
Thanks in advance
No, chroot applies to the whole process and once applied it can't
be reverted. Otherwise the whole idea of chroot being a FS jail
would not work.

So you need some programs in your chroot: Then put a directory
usr/bin into the chroot directory and bind the system's /usr/bin
there:

mount --bind /usr/bin $chroot/usr/bin

The same has to be done with all library stuff. Another option
would be to place a statically linked busybox and it's
subprogram links into the chroot

Wolfgang Draxinger
--
E-Mail address works, Jabber: he******@jabber.org, ICQ: 134682867

Jun 27 '08 #2
On 4 Giu, 17:08, Wolfgang Draxinger <wdraxin...@darkstargames.de>
wrote:
support.intranet wrote:
Hello! I'm writing a small script and I need to call the
os.chroot function. The problem is, a few lines below I need to
call a program in /usr/bin. Is there a way to exit from the
chroot, or to limit the chroot to a single function or thread?
Thanks in advance

No, chroot applies to the whole process and once applied it can't
be reverted. Otherwise the whole idea of chroot being a FS jail
would not work.

So you need some programs in your chroot: Then put a directory
usr/bin into the chroot directory and bind the system's /usr/bin
there:

mount --bind /usr/bin $chroot/usr/bin

The same has to be done with all library stuff. Another option
would be to place a statically linked busybox and it's
subprogram links into the chroot

Wolfgang Draxinger
--
E-Mail address works, Jabber: hexar...@jabber.org, ICQ: 134682867
Thanks! I'll try the bind way
Jun 27 '08 #3
>So you need some programs in your chroot: Then put a directory
usr/bin into the chroot directory and bind the system's /usr/bin
there:
>mount --bind /usr/bin $chroot/usr/bin
It is better to make copies of the needed binaries and libraries,
and *only* them.
Or symbolic links, of course. Also, wouldn't links prevent
the process from puffing actual binaries in /usr/bin?
** Posted from http://www.teranews.com **
Jun 27 '08 #4
Thomas Bellman wrote:
That might not be the best idea... Suddenly the chroot:ed
program has access to the real /usr/bin; and since it likely is
running as root (it was allowed to call chroot()), it can do bad
things to the things in /usr/bin.
If a chrooted process is running as root, it can very easily break out
of the chroot anyway. So...
Also remember, a chroot:ing process should permanently relinquish
its privileges as soon as possible after chroot:ing. There are
way too many fun things a root-running process can do even when
chroot:ed, like creating device files or setuid binaries.
....this is imperative.
All this is of course assuming that the chroot is done for
security reasons.
But here's something that might be interesting:

http://kerneltrap.org/Linux/Abusing_chroot

Short story: chroot is not and never has been a security tool.

-- Remy

Jun 27 '08 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Andy | last post by:
On my webserver the web components are seperated into a chroot jail so it cannot access any of the mail (courier-mta) components. Does anyone know of a way to change how mail() functions? i.e....
0
by: SuicidalLabRat | last post by:
Is it Possable to build a chroot() like function using the abID and ITEMIDLIST structures, wherein the context in which a process runs ( this includes boundries to inter process communication...
0
by: alchimista | last post by:
hi, I've succesfully installed mysql on linux 2.4.x (TRUSTIX), I've tried to move it on my chroot jail but after 10s it crashes with the following message: --- cut here---- 040602 18:22:21 ...
1
by: Guinness Mann | last post by:
Pardon me if this is not the optimum newsgroup for this post, but it's the only .NET newsgroup I read and I'm certain someone here can help me. I have a C# program that checks for an error...
4
by: Bob Day | last post by:
Using VS 2003, VB.net... I am confused about the Application.Exit method, where the help states "This method does not force the application to exit." Aside from the naming confusion, how do I...
2
by: goodnamesalltaken | last post by:
Hello fellow python users, I've been working on a basic implementation of a privilege separated web server, and I've goto the point of running a basic cgi script. Basically when the execCGI...
1
by: =?Utf-8?B?VGFvZ2U=?= | last post by:
Hi All, When I use applcation.exit() in winForm application, the form closed, but the process is still going!! ( The debug process is still running if debug in VS IDE). Environment.Exit(0) works...
12
by: gregpinero | last post by:
This wiki page suggests using a chroot jail to sandbox Python, but wouldn't running something like this in your sandboxed Python instance still break you out of the chroot jail: os.execle...
39
by: mathieu | last post by:
Hi there, I am trying to reuse a piece of code that was designed as an application. The code is covered with 'exit' calls. I would like to reuse it as a library. For that I renamed the 'main'...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.