Root Jail

July 3, 2009 - Posted by efrizal

Biasanya root jail difunakan untuk meningkatkan keaamanan dari suatu service dengan meubah perspektif dari proses service tersebut. Sehingga root jail terpisah dari root environment. Biasanya juga disebut sebagai root filesystem mini.

contoh sekarang kita akan membuat root jail untuk service httpd:

1.cek file yang berhubungan dengan httpd

[root@localhost ~]# rpm -ql httpd
/etc/httpd
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.d/README
/etc/httpd/conf.d/proxy_ajp.conf
/etc/httpd/conf.d/welcome.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/magic

2. Lihat lokasi daemon httpd

#which httpd

3.Periksa librari yang berhubungan dengan httpd

[root@localhost ~]# ldd /usr/sbin/httpd
linux-gate.so.1 =>  (0×00a22000)
libm.so.6 => /lib/i686/nosegneg/libm.so.6 (0×00e68000)
libpcre.so.0 => /lib/libpcre.so.0 (0×00cfc000)
libselinux.so.1 => /lib/libselinux.so.1 (0×009d7000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0×00110000)

4. Membuat root file system mini

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

mkdir -p /var/jail/bin

# mkdir -p /var/jail/sbin

# mkdir -p /var/jail/etc

# mkdir -p /var/jail/dev

# mkdir -p /var/jail/tmp

# mkdir -p /var/jail/lib

# mkdir -p /var/jail/proc

# mkdir -p /var/jail/usr/bin

# mkdir -p /var/jail/usr/sbin

# mkdir -p /var/jail/usr/lib

# mkdir -p /var/jail/var/run

# mkdir -p /var/jail/var/lib

# mkdir -p /var/jail/var/log

# mkdir -p /var/jail/home

# mkdir -p /var/jail/etc/init.d

# mkdir -p /var/jail/etc/rc.d/init.d

# mkdir -p /var/jail/var/lock/subsys

5. Mmembuat file yang diperlukan

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

# mknod /var/jail/dev/zero c 1 5

# mknod /var/jail/dev/null c 1 3

# mknod /var/jail/dev/urandom c 1 9

# mknod /var/jail/dev/random c 1 8

# chmod 666 /var/jail/dev/*

6. Menyalin file program httpd dengan dependencynya

Langkah berikutnya adalah menyalin file program daemon httpd beserta dependency nya, serta bebrapa tool lainnya yang dibutuhkan serta file-file konfigurasi yang penting.
Menyalin file httpd dan dependency nya:
# cp /usr/sbin/httpd /var/jail/usr/sbin/
# cp /lib/libm.so.6 /var/jail/lib/
# cp /lib/libpcre.so.0 /var/jail/lib/
# cp /lib/libselinux.so.1 /var/jail/lib/
# cp /usr/lib/libaprutil-1.so.0 /var/jail/usr/lib/
—- lanjutkan penyalinan untuk library lainnya sebagaimana yang terdaftar dari hasil perintah ldd /usr/sbin/httpd —–

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

# cp /etc/services /var/jail/etc/

# cp -rf /etc/ld.so.c* /var/jail/etc/

# cp /sbin/ldconfig /var/jail/sbin/

# cd /var/jail/lib/

# ln -s bash sh

# cp -rf /lib/libnss_* /var/jail/lib/

# cp /etc/fstab /var/jail/etc

# cp /bin/grep /var/jail/bin/

# mkdir /var/jail/etc/init.d

# mkdir -p /var/jail/etc/rc.d/init.d/

# cp /lib/libtermcap.so.2 /var/jail/lib/

# cp /etc/rc.d/init.d/functions /var/jail/etc/rc.d/init.d/

# cp /sbin/consoletype /var/jail/sbin/

# cp /etc/shells /var/jail/etc/

# cp /etc/mime.types /var/jail/etc/

# cp /bin/usleep /var/jail/bincp /etc/passwd /var/jail/etc

# cp /etc/group /var/jail/etc

# cp /etc/shadow /var/jail/etc

# cp /etc/bashrc /var/jail/etc

# cp /etc/profile /var/jail/etc

# cp /etc/profile /var/jail/etc

# cp /etc/localtime /var/jail/etc

# cp /etc/hosts /var/jail/etc

# cp -rf /etc/profile.d /var/jail/etc

# cp /lib/ld-* /var/jail/lib/

# cp /bin/bash /var/jail/bin/

# cp /etc/nsswitch.conf /var/jail/etc/

# cp /usr/bin/getent /var/jail/usr/bin/

# cp /etc/services /var/jail/etc/

# cp -rf /etc/ld.so.c* /var/jail/etc/

# cp /sbin/ldconfig /var/jail/sbin/

# cd /var/jail/lib/

# ln -s bash sh

# cp -rf /lib/libnss_* /var/jail/lib/

# cp /etc/fstab /var/jail/etc

# cp /bin/grep /var/jail/bin/

# mkdir /var/jail/etc/init.d

# mkdir -p /var/jail/etc/rc.d/init.d/

# cp /lib/libtermcap.so.2 /var/jail/lib/

# cp /etc/rc.d/init.d/functions /var/jail/etc/rc.d/init.d/

# cp /sbin/consoletype /var/jail/sbin/

# cp /etc/shells /var/jail/etc/

# cp /etc/mime.types /var/jail/etc/

# cp /bin/usleep /var/jail/bin

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

Menyalin tool lainnya beserta dependency , misal tool ‘ls’ :

[root@localhost]# which ls

/bin/ls

[root@localhost]# cp /bin/ls /var/jail/bin/

[root@localhost]# ldd /bin/ls

linux-gate.so.1 => (0×00110000)

librt.so.1 => /lib/librt.so.1 (0×001a4000)

libacl.so.1 => /lib/libacl.so.1 (0×00681000)

libselinux.so.1 => /lib/libselinux.so.1 (0×00229000)

libc.so.6 => /lib/libc.so.6 (0×004fa000)

libpthread.so.0 => /lib/libpthread.so.0 (0×00668000)

/lib/ld-linux.so.2 (0×004dd000)

libattr.so.1 => /lib/libattr.so.1 (0×002b7000)

libdl.so.2 => /lib/libdl.so.2 (0×00662000)

libsepol.so.1 => /lib/libsepol.so.1 (0×00242000)

[root@localhost]# cp -rf /lib/librt.so.1 /var/jail/lib/

[root@localhost]# cp -rf /lib/libacl.so.1 /var/jail/lib/

[root@localhost]# cp -rf /lib/libselinux.so.1 /var/jail/lib/

[root@localhost]# cp -rf /lib/libc.so.6 /var/jail/lib/

[root@localhost]# cp -rf /lib/libpthread.so.0 /var/jail/lib/

[root@localhost]# cp -rf /lib/libattr.so.1 /var/jail/lib/

[root@localhost]# cp -rf /lib/libdl.so.2 /var/jail/lib/

[root@localhost]# cp -rf /lib/libsepol.so.1 /var/jail/lib/

Ulangi langkah yang hampir sama untuk menyalin beberapa tool lainnya.

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

Setelah chroot environment dibangun langkah berikutnya coba Anda akses chroot environment tersebut dengan perintah sebagai berikut :

#chroot /var/jail

-bash-3.1$ ls

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

Jika akses ke root jail berhasil coba Anda menjalankan daemon httpd :

#chroot /var/jail /usr/sbin/httpd

atau

#chroot /var/jail /etc/init.d/httpd start

biasanya pada saat mencoba perinta di atas jika masih ada kekeurangan librari atau depency akan di beri tahu.

misal yang kurang lib perl.so, maka anda cari dengan perintah:

locate perl.so

/usr/lib/perl.so kemudian kopi lagi ke root jailnya

cp /usr/lib/perl.so /var/jail/usr/lib

kemudian ulanngi menjalan kan perintah chrootnya. kalau sudah tidak ada masalah lagi lakukan perintah:

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

# pgrep httpd

16424

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

[root@labtop1 ~]# ls -al /proc/16424

maka akan ditampilkan pesan

<!– @page { size: 8.5in 11in; margin: 0.79in } P { margin-bottom: 0.08in } –>

lrwxrwxrwx 1 root root 0 Sept 1 04:15 root -> /var/jail

This entry was posted on Friday, July 3rd, 2009 at 4:33 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Post a Comment