View previous topic :: View next topic |
Author |
Message |
javeree Guru
Joined: 29 Jan 2006 Posts: 453
|
Posted: Fri Sep 12, 2014 3:53 pm Post subject: cannot chroot static executable |
|
|
I have downloaded a 32 bit binary on my 32 bit Gentoo. The program runs fine:
Quote: | ~/mc2xml_chrootjail $ ./mc2xml -c be -g 2390
Loading ..... : mc2xml (c) <mc2xml@gmail.com> (v1.2)
Reminder .... : Unauthorized redistribution prohibited.
Reminder .... : If this software is useful, please donate!
Reading ..... : mc2xml.dat
Downloading . : microsoft.com
Status ...... : No new data available |
Now I want to run this is a chroot, so I do:
Quote: | ldd ./mc2xml
not a dynamic executable
file ./mc2xml
./mc2xml: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
readelf -a ./mc2xml
ELF Header:
Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - GNU
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0xdc2528
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00c01000 0x00c01000 0x1c1cdd 0x1c1cdd R E 0x1000
LOAD 0x000590 0x08417590 0x08417590 0x00000 0x00000 RW 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type Intel 80386 is not currently supported.
No version information found in this file.
|
then I run su and try to chroot:
Quote: | mc2xml_chrootjail # chroot . ./mc2xml
Loading ..... : mc2xml (c) <mc2xml@gmail.com> (v1.2)
Reminder .... : Unauthorized redistribution prohibited.
Reminder .... : If this software is useful, please donate!
Reading ..... : mc2xml.dat
terminate called after throwing an instance of 'std::length_error'
what(): basic_string::_S_create
Aborted |
This happens consistenly, so It looks like the chroot changes something thet the executable needs. Is there a way to find out what this is ? All my attempts failed. All I managed further to do was:
Quote: | chroot . /strace /mc2xml
execve("/mc2xml", ["/mc2xml"], [/* 45 vars */]) = 0
old_mmap(0xdc3000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xdc3000) = 0xdc3 000
readlink("/proc/self/exe", 0xbfd24524, 4096) = -1 ENOENT (No such file or directory)
old_mmap(0x8048000, 3839876, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x804800 0
mprotect(0x8048000, 3839873, PROT_READ|PROT_EXEC) = 0
old_mmap(0x83f3000, 70763, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x83f3000
mprotect(0x83f3000, 70760, PROT_READ|PROT_WRITE) = 0
old_mmap(0x8405000, 75152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x8405000
brk(0x8418000) = 0x996b000
munmap(0xc02000, 1843200) = 0
uname({sys="Linux", node="Hermes", ...}) = 0
brk(0) = 0x996b000
brk(0x996bcc0) = 0x996bcc0
set_thread_area({entry_number:-1 -> 6, base_addr:0x996b840, limit:1048575, seg_32bit:1, contents:0, read_exec_only: 0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
brk(0x998ccc0) = 0x998ccc0
brk(0x998d000) = 0x998d000
time(NULL) = 1410535837
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 7), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7712000
write(1, "Loading ..... : mc2xml (c) <mc2x"..., 53Loading ..... : mc2xml (c) <mc2xml@gmail.com> (v1.2)
) = 53
write(1, "Reminder .... : Unauthorized red"..., 56Reminder .... : Unauthorized redistribution prohibited.
) = 56
write(1, "Reminder .... : If this software"..., 59Reminder .... : If this software is useful, please donate!
) = 59
open("mc2xml.dat", O_RDONLY|O_LARGEFILE) = 3
write(1, "Reading ..... : mc2xml.dat\n", 27Reading ..... : mc2xml.dat
) = 27
read(3, "Telenet Analog Kabel (incl. Loen"..., 8191) = 104
read(3, "", 8191) = 0
close(3) = 0
time(NULL) = 1410535837
getpid() = 29358
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
open("/dev/random", O_RDONLY|O_NOCTTY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
open("/dev/srandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
socket(PF_LOCAL, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/egd-pool"}, 19) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/dev/egd-pool"}, 15) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/etc/egd-pool"}, 15) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/etc/entropy"}, 14) = -1 ENOENT (No such file or directory)
close(3) = 0
getuid32() = 0
time(NULL) = 1410535837
write(2, "terminate called after throwing "..., 48terminate called after throwing an instance of ') = 48
write(2, "std::length_error", 17std::length_error) = 17
write(2, "'\n", 2'
) = 2
write(2, " what(): ", 11 what(): ) = 11
write(2, "basic_string::_S_create", 23basic_string::_S_create) = 23
write(2, "\n", 1
) = 1
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, = 0
tgkill(29358, 29358, SIGABRT) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=29358, si_uid=0} ---
+++ killed by SIGABRT +++
Aborted |
|
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Fri Sep 12, 2014 6:07 pm Post subject: |
|
|
It needs a random device:
Code: | open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
open("/dev/random", O_RDONLY|O_NOCTTY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
open("/dev/srandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
# ..continues with non-Linux variants |
That's why the handbook has instructions for mounting /proc, /dev, and /sys in the /mnt/gentoo chroot:
Code: | mount -t proc proc "$CHROOT/proc"
mount --rbind /sys "$CHROOT/sys"
mount --rbind /dev "$CHROOT/dev"
|
If you prefer you can just:
Code: | mount --bind /dev/urandom "$CHROOT/dev/urandom"
mount --bind /dev/random "$CHROOT/dev/random" | ..as part of your startup script, though it may well need other things.
For instance: /dev/null is pretty essential, /dev/zero and /dev/console are also usually needed.
The traditional method is to use mknod or the MKNOD(iirc) wrapper to make essential devices. However if you just want it to run as if it were under your machine, use the full sequence above. |
|
Back to top |
|
|
javeree Guru
Joined: 29 Jan 2006 Posts: 453
|
Posted: Fri Sep 19, 2014 8:06 am Post subject: |
|
|
That seems to have done the trick (there's still an error, but that error also happens outside the chroot, so unrelated to this post)
It's funny that there are quite some places that explain chrooting and using ldd to find dependencies and import them in the chroot, but most seem to forget about /dev/ et al.
Is there a systematic way to find out which /dev/nodes a program uses (I doubt it, given that these are just file handles) ? I would assume that when using chroot to isolate a program, you don't want to expose all /dev/ nodes, but only the ones needed, so it would be good if there would be a trick to list which ones are used. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Fri Sep 19, 2014 9:44 am Post subject: |
|
|
javeree wrote: | Is there a systematic way to find out which /dev/nodes a program uses (I doubt it, given that these are just file handles) ? I would assume that when using chroot to isolate a program, you don't want to expose all /dev/ nodes, but only the ones needed, so it would be good if there would be a trick to list which ones are used. |
Use strace -e trace=file
cf: man 1 strace |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|