Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Installing/running untrusted software
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Thu May 21, 2015 11:32 am    Post subject: Installing/running untrusted software Reply with quote

Periodically I need to install and run untrusted software that isn't in portage. Is there a good method for going about that?
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria

PostPosted: Thu May 21, 2015 12:50 pm    Post subject: Reply with quote

The easiest way would be to use some virtualization software like virtualbox or what they are called like these days.

Quote:
* app-emulation/virtualbox
Available versions: 4.3.18 (~)4.3.26 (~)4.3.28 {+additions alsa doc extensions headless java +opengl pam pulseaudio python +qt4 +sdk +udev vboxwebsrv vnc ELIBC="FreeBSD" PYTHON_TARGETS="python2_7"}
Homepage: http://www.virtualbox.org/
Description: Family of powerful x86 virtualization products for enterprise as well as home use


You could create a new user with a fresh home directory and run teh software there or in a chroot but it depends on what is untrusted.

or boot up a livecd and run it from there. but i think you ask for something like virtualbox or vmware or whatever else exists in this regard.

i am not sure if such apps are useful or not for you

Quote:
* sys-apps/fakeroot
Available versions: 1.18.4 1.19 (~)1.20 (~)1.20.2 {acl debug static-libs test}
Homepage: http://packages.qa.debian.org/f/fakeroot.html
Description: A fake root environment by means of LD_PRELOAD and SysV IPC (or TCP) trickery


it boils down on what you want to run ... and with that knowledge you can choose the right environment than
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Thu May 21, 2015 5:31 pm    Post subject: Reply with quote

grant123,

It depends on your degree of paranoia.

1. don't run untrusted software :)
2. isolate it in its own hardware
3. use some form of virtualisation to isolate it.
4. run it in a live system of some sort (No HDD access at all)
5. Keep it in a chroot jail
6. trust it

I guess that 1 and 6 are not acceptable.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Thu May 21, 2015 11:28 pm    Post subject: Reply with quote

Define untrusted software. Not being in the portage does not mean it is untrusted. Is there any untrusted FOSS?
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Fri May 22, 2015 5:35 pm    Post subject: Reply with quote

NeddySeagoon wrote:
grant123,

It depends on your degree of paranoia.

1. don't run untrusted software :)
2. isolate it in its own hardware
3. use some form of virtualisation to isolate it.
4. run it in a live system of some sort (No HDD access at all)
5. Keep it in a chroot jail
6. trust it

I guess that 1 and 6 are not acceptable.


Can I set up a user and remove them from (almost?) all groups and run the software as that user and expect it to be reasonably safe?

Jaglover, just stuff I don't feel sure about.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana

PostPosted: Fri May 22, 2015 7:45 pm    Post subject: Reply with quote

app-misc/jail is better solution.
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Sat May 23, 2015 2:32 pm    Post subject: Reply with quote

Jaglover wrote:
app-misc/jail is better solution.


How secure is it? Should I expect anything I run in the jail to be completely safe and sandboxed?

Generally, do all applications install and run properly in a jail?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3105

PostPosted: Sat May 23, 2015 3:06 pm    Post subject: Reply with quote

chroot is secure if you don't expose anything important inside.
E.g. mounting /dev/ on top of your chroot directory would allow an application you run there to access your hard drives.
I do'nt know much about jail, but it seems to be some kind of helper that creates a chroot zone for you (so you don't have to build second system yourself) and then you end up in a chroot anyway.

So, running a non-priviliged application simply as another user, without access to your files would let you contain the possible damage within a small "don't care" area. Same goes about virtualization, which is more work to setup but rewards you with a system you don't have to worry about in terms of "where that stuff will be installed". Running as separate user on the same system you want to have somethin like $HOME/bin in your $PATH in addition to regular stuff and install those funny things there.

In case of application for windows you can use winecfg to map only particular directories you want that app to have access to.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21494

PostPosted: Sat May 23, 2015 3:27 pm    Post subject: Reply with quote

You need to identify your threat model. If the untrusted application is actively malicious, it could know about kernel bugs that would let it escape the container you put it in. If it is only untrusted in the sense that you lack confidence that it will not accidentally delete your home directory, then it is much easier to contain.
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Tue May 26, 2015 6:42 pm    Post subject: Reply with quote

Thanks guys. It sounds like jail (chroot with ease) is the way to go. I wouldn't run anything I know to be malicious.

EDIT: Well maybe not as easy as I had hoped. Can anyone tell me what I did wrong?

Code:
# mkjailenv /var/chroot
# chroot /var/chroot /bin/bash
chroot: failed to run command ‘/bin/bash’: No such file or directory


I tried this but still get the same error:

Code:
# addjailsw /var/chroot -P bash
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria

PostPosted: Thu May 28, 2015 3:04 pm    Post subject: Reply with quote

maybe a lack of user rights?

did you checked in which group you are in? and which groups are needed by this application?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Thu May 28, 2015 5:19 pm    Post subject: Reply with quote

grant123,

Code:
# chroot /var/chroot /bin/bash
chroot: failed to run command ‘/bin/bash’: No such file or directory


Either /bin/bash or one of the libs it depends on is missing from the chroot.
lddtree is your friend

Code:
$ lddtree /bin/bash
/bin/bash (interpreter => /lib64/ld-linux-x86-64.so.2)
    libreadline.so.6 => /lib64/libreadline.so.6
    libncurses.so.5 => /lib64/libncurses.so.5
        libdl.so.2 => /lib64/libdl.so.2
    libc.so.6 => /lib64/libc.so.6

You need all those libraries in the chroot. Some of them my be symlinks to the real thing, in which cane you need the symlink and the real target.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Thu May 28, 2015 7:27 pm    Post subject: Reply with quote

Surely whichever apps I end up running will need more than bash. Do I basically need to do a minimal and manual OS install into the chroot? I was hoping app-misc/jail would prevent that from being necessary.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Thu May 28, 2015 7:45 pm    Post subject: Reply with quote

grant123,

lddtree will tell you what you need. You may not even need bash. The chroot command does not need to run a shell.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Fri May 29, 2015 2:04 pm    Post subject: Reply with quote

NeddySeagoon wrote:
lddtree will tell you what you need. You may not even need bash. The chroot command does not need to run a shell.


I'm getting this:

Code:
# lddtree runme.sh
runme.sh => ./runme.sh (interpreter => none)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Fri May 29, 2015 6:42 pm    Post subject: Reply with quote

grant123,

That tells that runme.sh is a statically linked binary or not a binary at all.
Regardless, it has no dynamic linking requirements.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Fri May 29, 2015 7:31 pm    Post subject: Reply with quote

Well, my goal is to figure out what software I need to add to the chroot in order for it to be able to execute (in this case) runme.sh. I know the program I'm trying to execute via runme.sh uses java at least. Is there a good way to do this?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Fri May 29, 2015 8:18 pm    Post subject: Reply with quote

grant123,

lddtree on the executables listed in the runme.sh script.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Sat May 30, 2015 6:24 pm    Post subject: Reply with quote

I'm able to get bash and ls working in the chroot by doing this:

Code:
# addjailsw /var/chroot -P ls --version
# addjailsw /var/chroot -P bin --version
# cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64


But neither work unless I execute that last line. Why would addjailsw leave that out?

The runme.sh script only references java so I did:

Code:
# lddtree /usr/bin/java
java => /usr/bin/java (interpreter => none)
# addjailsw /var/chroot -P java --version


But in the chroot I get:

Code:
# ./runme.sh
bash: ./runme.sh: /bin/sh: bad interpreter: No such file or directory


Wouldn't it be easier to just extract a stage3 tarball, chroot into it, and emerge whatever I need in there? Why use app-misc/jail instead?

BTW, do you know if deleting /var/chroot wipes out all of the changes made by the jail commands or is there extra cleanup to do?
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Sat May 30, 2015 9:05 pm    Post subject: Reply with quote

One more question, will I be able to run GUI apps from the chroot?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3105

PostPosted: Sat May 30, 2015 10:25 pm    Post subject: Reply with quote

Yes, but it may (or may not) require tuning some configs. Good news is X11 has been written with networks in mind, and you can still use TCP port instead of default unix socket.
Back to top
View user's profile Send private message
grant123
Veteran
Veteran


Joined: 23 Mar 2005
Posts: 1080

PostPosted: Sun May 31, 2015 3:06 pm    Post subject: Reply with quote

What do you think guys? Am I better off with virtualization, and if so, which? Is there any virtualization that doesn't require a kernel patch which isn't included in hardened-sources?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3105

PostPosted: Sun May 31, 2015 9:16 pm    Post subject: Reply with quote

i think you could have already done that if you tried. http://xkcd.com/1445/

There is no good and wrong way here, there is one you pick and one you dont.
That list of options by Neddy still holds, all of those are valid.
1. don't run untrusted software :)
2. isolate it in its own hardware
3. use some form of virtualisation to isolate it.
4. run it in a live system of some sort (No HDD access at all)
5. Keep it in a chroot jail
6. trust it
Back to top
View user's profile Send private message
el muchacho
Tux's lil' helper
Tux's lil' helper


Joined: 26 Mar 2015
Posts: 78

PostPosted: Wed Jun 03, 2015 1:54 pm    Post subject: Reply with quote

Firejail.

It is not just a chroot jail.

It uses namespaces, capabilities, in order to make your process run in a separate namespace. Most of the system is remounted as read-only, and the most dangerous system calls are banned; you can also define if it should have a network stack or not, etc... All of that being configurable.

BUT... firejail is NOT in the official portage tree (I definitely think it should be part of Hardened Gentoo).

https://l3net.wordpress.com/projects/firejail/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum