I am trying to setup a chroot jail, then I did:
which binary
ldd /bin/binary
Then I did:
cp /lib64/{libs} $jail/lib64
cp /usr/lib64/{libs} $jail/usr/lib64
PS: During this setup, I discovered that /lib64 needs special permissions r-x, only r– won't work (inside or outside chroot).
Copied binary to $jail, created /home/jailuser .
Created proc, dev, sys and mounted them.
Found uid and gid for jailuser:users
Changed ownership of home dir:
chown jailuser:users
chmod 700 (for dirs)
chmod 600 (for files)
Changed ownership of other files to root:root, and for the permissions, please see ahead.
Then under root entered the jail:
export USER=jailuser (and I did the same with LOGNAME, HOME)
cd $jail
chroot --userspec=$uid:$gid $jail $jail/binary
It worked, but:
In my local box, only worked with all non jailuser permissions as 005.
In a KVM VPS, tried the same, but the only permission that worked was 050!
Please, someone knows:
1) Why local only works with at least 005 and remote only works with at least 050 (Both systems are the same)?
2) Is there a better way to setup permissions inside a chroot jail? (But keeping root:root ownership, so the user/process cannot modify "system" files)…
3) Is there a better way to start this jail as a non privileged user, other than using –userspec option?
Thanks!
Best Answer
I think I've got it! I guess sometimes the system needs to change to an user that is inside root group and needs the libs (maybe system or nobody?) and thus lib64 and usr/lib64 really need at least 050 permissions.
My final script to set permissions is this (tested and working):