11 January 2013

316. Briefly: Automated chroot/sandbox creation

EDIT:
There are plenty of reasons to use chroots, but security is not one of them.

For a practical how-to see e.g
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

For a bit of yelling, see
http://yarchive.net/comp/linux/chroot.html

chroot will improve your security by creating an obstacle which may filter out some would-be crackers, but it will not make it secure by any standard. (in spite of what I may have written elsewhere on this blog).

Original post:
I've been using chroot to compile and test stuff so much lately that I figure it was time to automate the process.

Before creating your chroot you'll need a few packages:
sudo apt-get install debootstrap coreutils x11-xserver-utils


The scripts
makechroot.sh
mkdir $HOME/tmp/jail/$1 -p sudo debootstrap --arch amd64 testing $HOME/tmp/jail/$1 http://ftp.au.debian.org/debian/ sudo cp setupchroot.sh $HOME/tmp/jail/$1/

setupchroot.sh
rm /etc/apt/sources.list echo 'deb http://ftp.au.debian.org/debian/ wheezy main contrib non-free' >> /etc/apt/sources.list apt-get update apt-get install locales sudo vim echo 'export LC_ALL="C"'>>/etc/bash.bashrc echo 'export LANG="C"'>>/etc/bash.bashrc echo 'export DISPLAY=:0.0' >> /etc/bash.bashrc echo '127.0.0.1 beryllium >> /etc/hosts' source /etc/bash.bashrc adduser sandbox usermod -g sudo sandbox echo 'Defaults !tty_tickets' >> /etc/sudoers

launchchroot.sh
xhost + sudo mount -o bind /proc $1/proc sudo cp /etc/resolv.conf $1/etc/resolv.conf sudo chroot $HOME/tmp/jail/$1

How to use
To set up the chroot:
sh makechroot.sh mynewchroot
sudo chroot mynewchroot
root@beryllium:/# sh setupchroot.sh

To use the chroot:
sh launchchroot.sh mynewchroot

Once you're done with the chroot and logged out, do
sudo umount $HOME/tmp/jail/mynewchroot/proc

to unmount the /proc -- you can now delete, copy etc. the directory structure of you chroot.

315. Briefly: Compile firefox 18 on debian testing/wheezy

For no better reason than pure curiosity, here's how to build firefox 18. My regular build environment has so many packages installed these days that it's useless for working out dependencies for other people, so I tried it in a fresh chroot to hammer out the current dependencies beyond a doubt. In other words: it will work for you.

In retrospect I'm not sure if you really need the dev package for libgtk2.0.

sudo apt-get install bzip2 build-essential python zip unzip pkg-config libgtk2.0-dev gconf2 libdbus-1-dev libdbus-glib-1-dev yasm libasound2-dev libcurl4-gnutls-dev libxt-dev mesa-common-dev
mkdir ~/tmp/firefox -p
cd ~/tmp/firefox
wget ftp://ftp.mozilla.org/pub/firefox/releases/18.0/source/firefox-18.0.source.tar.bz2
tar xvf firefox-18.0.source.tar.bz2
mkdir build/
cd build/
../mozilla-release/./configure --prefix=$HOME/.firefox18
make
make install
echo "alias firefox18='$HOME/.firefox18/bin/firefox'" >> $HOME/.bashrc
source $HOME/.bashrc

Launch by typing
firefox18


10 January 2013

314. Briefly: Installing talkd on ROCKS 5.4.3

I was asked to set up talkd on our Rocks 5.4.3 cluster (Centos 5.4) . There's no talkd or talk-server packages in the repos on that server.

Note: The general consensus seems to be that talk is
1. insecure and
2. outdated.

To install:
wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/talk-server-0.17-31.el5.x86_64.rpm
yum localinstall talk-server-0.17-31.el5.x86_64.rpm
sudo iptables -A INPUT -p udp --dport 517 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 518 -s 127.0.0.1 -j ACCEPT

Above I've added, but haven't yet tried, -s 127.0.0.1 to limit connections from the local computer (localhost). If it doesn't work with -s 127.0.0.1, then try without -- but then be aware of the security implications. These rules also aren't permanent and will be lost on reboot. To make them permanent, edit /etc/sysconfig/iptables.

I couldn't get talk to work before opening the ports and would get
Error on read from talk daemon : Connection refused
Note that talkd uses Xinet and not init -- it will not run as  memory resident daemon, but instead be launched by xinet only when talkd is needed (traffic is detected to the ports associated with talkd). Xinet.d is a bit like a concierge, waking up whomever seems to be the adressee.


Edit both /etc/xinetd.d/talk and /etc/xinetd.d/ntalk. Change to:
# default: off # description: The talk server accepts talk requests for chatting with users \ # on other systems. service talk { flags = IPv4 disable = no socket_type = dgram wait = yes user = nobody group = tty server = /usr/sbin/in.talkd }
Finally, restart xinet.d (doing chkconfig talk on wasn't enough):
sudo /etc/init.d/xinet.d restart



Note: If you or the other user have several terminals open you should figure out which terminal to use. If you're user2, do
ps
PID TTY TIME CMD 5455 pts/23 00:00:00 bash 9321 pts/23 00:00:00 ps
user1 can then do
[user1@host ~]$ talk user2@localhost pts/23

and user2 will see the following in that terminal:
Message from Talk_Daemon@host at 14:49 ... talk: connection requested by user1@localhost.localdomain. talk: respond with: talk user1@localhost.localdomain
If you are user1 and have no idea on what terminal user2 is logged on, you can try
w|grep user2
user2 pts/8 remote:S.0 04Nov12 59:00 0.04s 0.04s /bin/bash user2 pts/9 remote:S.1 04Nov12 17:28 0.03s 0.03s /bin/bash user2 pts/10 remote Mon12 2days 0.03s 0.00s ssh -X -v volde user2 pts/11 local Mon12 2days 0.29s 0.26s perl eccejobmon user2 pts/23 remote 14:30 7.00s 0.00s 0.00s -bash