Showing posts with label jail. Show all posts
Showing posts with label jail. Show all posts

11 January 2013

316. Briefly: Automated chroot/sandbox creation

EDIT:
There are plenty of reasons to use chroots, but security is not one of them.

For a practical how-to see e.g
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

For a bit of yelling, see
http://yarchive.net/comp/linux/chroot.html

chroot will improve your security by creating an obstacle which may filter out some would-be crackers, but it will not make it secure by any standard. (in spite of what I may have written elsewhere on this blog).

Original post:
I've been using chroot to compile and test stuff so much lately that I figure it was time to automate the process.

Before creating your chroot you'll need a few packages:
sudo apt-get install debootstrap coreutils x11-xserver-utils


The scripts 
makechroot.sh


mkdir $HOME/tmp/jail/$1 -p
sudo debootstrap --arch amd64 testing $HOME/tmp/jail/$1 http://ftp.au.debian.org/debian/
sudo cp setupchroot.sh $HOME/tmp/jail/$1/




setupchroot.sh


rm /etc/apt/sources.list
echo 'deb  http://ftp.au.debian.org/debian/ wheezy main contrib non-free' >> /etc/apt/sources.list
apt-get update
apt-get install locales sudo vim
echo 'export LC_ALL="C"'>>/etc/bash.bashrc
echo 'export LANG="C"'>>/etc/bash.bashrc
echo 'export DISPLAY=:0.0' >> /etc/bash.bashrc
echo '127.0.0.1 beryllium >> /etc/hosts'
source /etc/bash.bashrc
adduser sandbox
usermod -g sudo sandbox
echo 'Defaults !tty_tickets' >> /etc/sudoers




launchchroot.sh


xhost +
sudo mount -o bind /proc $1/proc
sudo cp /etc/resolv.conf $1/etc/resolv.conf
sudo chroot $HOME/tmp/jail/$1

How to use
To set up the chroot: 
sh makechroot.sh mynewchroot
sudo chroot mynewchroot
root@beryllium:/# sh setupchroot.sh

To use the chroot: 
sh launchchroot.sh mynewchroot

Once you're done with the chroot and logged out, do 
sudo umount $HOME/tmp/jail/mynewchroot/proc

to unmount the /proc -- you can now delete, copy etc. the directory structure of you chroot.
Posted by at 2 comments:
Labels: , , ,

20 October 2012

262. chroot/jail your iceweasel (firefox)

Update: in my youth I thought that chroot=security. I now know better.
http://yarchive.net/comp/linux/chroot.html
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

In other words, don't rely on chroot for security -- it's not meant to be a security tool. I personally use it to browse at work without leaving a too obvious a trail (nothing shady -- part of my job is to apply for permanent jobs, but it is not necessarily in the interest of my current employer to see me succeed. Academia is a weird place.)

Original post:
There are many reasons why you'd want to secure your browser -- ranging from paranoia to justifiable cautiousness (you're probably visiting the wrong kind of sites...).

A chroot environment doesn't make you anonymous -- it just helps sandbox your applications. To protect your anonymity you'll want to prevent your browser from setting cookies, and use a proxy via an ssh tunnel to encrypt your traffic and hide your true IP address. There's no silver bullet for these things.

I've chroot:d things in the past when compiling 32 bit applications on 64 bit machines, but for this guide I'm leaning heavily on this post: https://help.ubuntu.com/community/BasicChroot

sudo apt-get install coreutils debootstrap

Time to get rocking. Be aware that you should have a bit of free space on your target drive. 



sudo debootstrap --arch amd64 wheezy /media/chroot/ http://ftp.au.debian.org/debian/




which gets stuff underway:






I: Retrieving InRelease
I: Checking Release signature
I: Valid Release signature (key id 9FED2BCBDCD29CDF762678CBAED4B06F473041FA)
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://ftp.au.debian.org/debian...
I: Retrieving libacl1
I: Validating libacl1
I: Retrieving apt
[..]
I: Configuring dpkg-dev...
I: Configuring build-essential...
I: Base system installed successfully.




So far, so good.



Create a shell script, e.g. chroot.sh, with the following in it:



xhost +


sudo mount -o bind /proc /media/chroot/proc
sudo cp /etc/resolv.conf /media/chroot/etc/resolv.conf
sudo chroot /media/chroot




Run it everytime you want to enter you chroot environment:


sh chroot.sh




In the chroot shell, do



apt-get install locales sudo vim
echo 'export LC_ALL="C"'>>/etc/bash.bashrc
echo 'export LANG="C"'>>/etc/bash.bashrc
echo 'DISPLAY=:0.0' >> /etc/bash.bashrc
source /etc/bash.bashrc
adduser sandbox
usermod -g sudo sandbox
echo 'Defaults !tty_tickets' >> /etc/sudoers
apt-get install iceweasel
su sandbox
cd ~




Launch iceweasel/firefox:




sandbox@beryllium:/$ firefox





And you're pretty much done.



Next time you want to launch a sandboxed version of firefox just do:





me@beryllium:~$ sh chroot.sh 
access control disabled, clients can connect from any host
root@beryllium:/# su sandbox
sandbox@beryllium:/$ firefox










Posted by



at





No comments:
  



















Labels:
,
,
,
,
,
,
















        

      









Subscribe to:
Posts (Atom)