View previous topic :: View next topic |
Author |
Message |
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Thu May 21, 2015 11:32 am Post subject: Installing/running untrusted software |
|
|
Periodically I need to install and run untrusted software that isn't in portage. Is there a good method for going about that? |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Thu May 21, 2015 12:50 pm Post subject: |
|
|
The easiest way would be to use some virtualization software like virtualbox or what they are called like these days.
Quote: | * app-emulation/virtualbox
Available versions: 4.3.18 (~)4.3.26 (~)4.3.28 {+additions alsa doc extensions headless java +opengl pam pulseaudio python +qt4 +sdk +udev vboxwebsrv vnc ELIBC="FreeBSD" PYTHON_TARGETS="python2_7"}
Homepage: http://www.virtualbox.org/
Description: Family of powerful x86 virtualization products for enterprise as well as home use
|
You could create a new user with a fresh home directory and run teh software there or in a chroot but it depends on what is untrusted.
or boot up a livecd and run it from there. but i think you ask for something like virtualbox or vmware or whatever else exists in this regard.
i am not sure if such apps are useful or not for you
Quote: | * sys-apps/fakeroot
Available versions: 1.18.4 1.19 (~)1.20 (~)1.20.2 {acl debug static-libs test}
Homepage: http://packages.qa.debian.org/f/fakeroot.html
Description: A fake root environment by means of LD_PRELOAD and SysV IPC (or TCP) trickery
|
it boils down on what you want to run ... and with that knowledge you can choose the right environment than |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54098 Location: 56N 3W
|
Posted: Thu May 21, 2015 5:31 pm Post subject: |
|
|
grant123,
It depends on your degree of paranoia.
1. don't run untrusted software :)
2. isolate it in its own hardware
3. use some form of virtualisation to isolate it.
4. run it in a live system of some sort (No HDD access at all)
5. Keep it in a chroot jail
6. trust it
I guess that 1 and 6 are not acceptable. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Fri May 22, 2015 5:35 pm Post subject: |
|
|
NeddySeagoon wrote: | grant123,
It depends on your degree of paranoia.
1. don't run untrusted software
2. isolate it in its own hardware
3. use some form of virtualisation to isolate it.
4. run it in a live system of some sort (No HDD access at all)
5. Keep it in a chroot jail
6. trust it
I guess that 1 and 6 are not acceptable. |
Can I set up a user and remove them from (almost?) all groups and run the software as that user and expect it to be reasonably safe?
Jaglover, just stuff I don't feel sure about. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat May 23, 2015 2:32 pm Post subject: |
|
|
Jaglover wrote: | app-misc/jail is better solution. |
How secure is it? Should I expect anything I run in the jail to be completely safe and sandboxed?
Generally, do all applications install and run properly in a jail? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3105
|
Posted: Sat May 23, 2015 3:06 pm Post subject: |
|
|
chroot is secure if you don't expose anything important inside.
E.g. mounting /dev/ on top of your chroot directory would allow an application you run there to access your hard drives.
I do'nt know much about jail, but it seems to be some kind of helper that creates a chroot zone for you (so you don't have to build second system yourself) and then you end up in a chroot anyway.
So, running a non-priviliged application simply as another user, without access to your files would let you contain the possible damage within a small "don't care" area. Same goes about virtualization, which is more work to setup but rewards you with a system you don't have to worry about in terms of "where that stuff will be installed". Running as separate user on the same system you want to have somethin like $HOME/bin in your $PATH in addition to regular stuff and install those funny things there.
In case of application for windows you can use winecfg to map only particular directories you want that app to have access to. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21494
|
Posted: Sat May 23, 2015 3:27 pm Post subject: |
|
|
You need to identify your threat model. If the untrusted application is actively malicious, it could know about kernel bugs that would let it escape the container you put it in. If it is only untrusted in the sense that you lack confidence that it will not accidentally delete your home directory, then it is much easier to contain. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Tue May 26, 2015 6:42 pm Post subject: |
|
|
Thanks guys. It sounds like jail (chroot with ease) is the way to go. I wouldn't run anything I know to be malicious.
EDIT: Well maybe not as easy as I had hoped. Can anyone tell me what I did wrong?
Code: | # mkjailenv /var/chroot
# chroot /var/chroot /bin/bash
chroot: failed to run command ‘/bin/bash’: No such file or directory |
I tried this but still get the same error:
Code: | # addjailsw /var/chroot -P bash |
|
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Thu May 28, 2015 3:04 pm Post subject: |
|
|
maybe a lack of user rights?
did you checked in which group you are in? and which groups are needed by this application? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54098 Location: 56N 3W
|
Posted: Thu May 28, 2015 5:19 pm Post subject: |
|
|
grant123,
Code: | # chroot /var/chroot /bin/bash
chroot: failed to run command ‘/bin/bash’: No such file or directory |
Either /bin/bash or one of the libs it depends on is missing from the chroot.
lddtree is your friend
Code: | $ lddtree /bin/bash
/bin/bash (interpreter => /lib64/ld-linux-x86-64.so.2)
libreadline.so.6 => /lib64/libreadline.so.6
libncurses.so.5 => /lib64/libncurses.so.5
libdl.so.2 => /lib64/libdl.so.2
libc.so.6 => /lib64/libc.so.6 |
You need all those libraries in the chroot. Some of them my be symlinks to the real thing, in which cane you need the symlink and the real target. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Thu May 28, 2015 7:27 pm Post subject: |
|
|
Surely whichever apps I end up running will need more than bash. Do I basically need to do a minimal and manual OS install into the chroot? I was hoping app-misc/jail would prevent that from being necessary. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54098 Location: 56N 3W
|
Posted: Thu May 28, 2015 7:45 pm Post subject: |
|
|
grant123,
lddtree will tell you what you need. You may not even need bash. The chroot command does not need to run a shell. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Fri May 29, 2015 2:04 pm Post subject: |
|
|
NeddySeagoon wrote: | lddtree will tell you what you need. You may not even need bash. The chroot command does not need to run a shell. |
I'm getting this:
Code: | # lddtree runme.sh
runme.sh => ./runme.sh (interpreter => none)
|
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54098 Location: 56N 3W
|
Posted: Fri May 29, 2015 6:42 pm Post subject: |
|
|
grant123,
That tells that runme.sh is a statically linked binary or not a binary at all.
Regardless, it has no dynamic linking requirements. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Fri May 29, 2015 7:31 pm Post subject: |
|
|
Well, my goal is to figure out what software I need to add to the chroot in order for it to be able to execute (in this case) runme.sh. I know the program I'm trying to execute via runme.sh uses java at least. Is there a good way to do this? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54098 Location: 56N 3W
|
Posted: Fri May 29, 2015 8:18 pm Post subject: |
|
|
grant123,
lddtree on the executables listed in the runme.sh script. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat May 30, 2015 6:24 pm Post subject: |
|
|
I'm able to get bash and ls working in the chroot by doing this:
Code: | # addjailsw /var/chroot -P ls --version
# addjailsw /var/chroot -P bin --version
# cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64 |
But neither work unless I execute that last line. Why would addjailsw leave that out?
The runme.sh script only references java so I did:
Code: | # lddtree /usr/bin/java
java => /usr/bin/java (interpreter => none)
# addjailsw /var/chroot -P java --version |
But in the chroot I get:
Code: | # ./runme.sh
bash: ./runme.sh: /bin/sh: bad interpreter: No such file or directory |
Wouldn't it be easier to just extract a stage3 tarball, chroot into it, and emerge whatever I need in there? Why use app-misc/jail instead?
BTW, do you know if deleting /var/chroot wipes out all of the changes made by the jail commands or is there extra cleanup to do? |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat May 30, 2015 9:05 pm Post subject: |
|
|
One more question, will I be able to run GUI apps from the chroot? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3105
|
Posted: Sat May 30, 2015 10:25 pm Post subject: |
|
|
Yes, but it may (or may not) require tuning some configs. Good news is X11 has been written with networks in mind, and you can still use TCP port instead of default unix socket. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sun May 31, 2015 3:06 pm Post subject: |
|
|
What do you think guys? Am I better off with virtualization, and if so, which? Is there any virtualization that doesn't require a kernel patch which isn't included in hardened-sources? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3105
|
Posted: Sun May 31, 2015 9:16 pm Post subject: |
|
|
i think you could have already done that if you tried. http://xkcd.com/1445/
There is no good and wrong way here, there is one you pick and one you dont.
That list of options by Neddy still holds, all of those are valid.
1. don't run untrusted software
2. isolate it in its own hardware
3. use some form of virtualisation to isolate it.
4. run it in a live system of some sort (No HDD access at all)
5. Keep it in a chroot jail
6. trust it |
|
Back to top |
|
|
el muchacho Tux's lil' helper
Joined: 26 Mar 2015 Posts: 78
|
Posted: Wed Jun 03, 2015 1:54 pm Post subject: |
|
|
Firejail.
It is not just a chroot jail.
It uses namespaces, capabilities, in order to make your process run in a separate namespace. Most of the system is remounted as read-only, and the most dangerous system calls are banned; you can also define if it should have a network stack or not, etc... All of that being configurable.
BUT... firejail is NOT in the official portage tree (I definitely think it should be part of Hardened Gentoo).
https://l3net.wordpress.com/projects/firejail/ |
|
Back to top |
|
|
|