Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Chrooting proxy services
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toofied
n00b
n00b


Joined: 26 Oct 2016
Posts: 22

PostPosted: Sat Aug 26, 2017 9:03 pm    Post subject: [Solved] Chrooting proxy services Reply with quote

Per wiki (https://wiki.gentoo.org/wiki/Chrooting_proxy_services), it's possible to chroot using init.d, but the code is horribly outdated, so I started updating it.

Unfortunately, every time I try to chroot the script fails with:
Code:
chroot: failed to run command '/usr/bin/tor': No such file or directory


Chroot creation script (adapted from Arch): https://dpaste.de/zf13/raw
OpenRC script, /etc/init.d/tor-hardened: https://dpaste.de/XWSs/raw

chroot also fails outside of the init.d, but I can confirm that the file exists in my chroot. What am I missing here?

Edit: This issue has been solved, and the wiki updated.


Last edited by toofied on Sun Aug 27, 2017 1:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13485

PostPosted: Sat Aug 26, 2017 11:42 pm    Post subject: Reply with quote

That error can happen if the file is missing or if any of its dependent files are missing. What does strace chroot args show?
Back to top
View user's profile Send private message
toofied
n00b
n00b


Joined: 26 Oct 2016
Posts: 22

PostPosted: Sun Aug 27, 2017 12:41 am    Post subject: Reply with quote

Code:
strace chroot /opt/torchroot/ /usr/bin/tor
execve("/bin/chroot", ["chroot", "/opt/torchroot/", "/usr/bin/tor"], 0x3cdc2c142f0 /* 20 vars */) = 0
brk(NULL)                               = 0x40bd3cd000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x312ca64c000
access("/etc/ld.so.preload", R_OK)      = 0
open("/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
close(3)                                = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=143148, ...}) = 0
mmap(NULL, 143148, PROT_READ, MAP_PRIVATE, 3, 0) = 0x312ca629000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\6\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1811912, ...}) = 0
mmap(NULL, 3919288, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x312ca071000
mprotect(0x312ca225000, 2093056, PROT_NONE) = 0
mmap(0x312ca424000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b3000) = 0x312ca424000
mmap(0x312ca42a000, 15800, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x312ca42a000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x312ca626000
arch_prctl(ARCH_SET_FS, 0x312ca626700)  = 0
mprotect(0x312ca424000, 16384, PROT_READ) = 0
mprotect(0x40bb669000, 4096, PROT_READ) = 0
mprotect(0x312ca652000, 4096, PROT_READ) = 0
munmap(0x312ca629000, 143148)           = 0
open("/usr/lib64/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1966480, ...}) = 0
mmap(NULL, 1966480, PROT_READ, MAP_PRIVATE, 3, 0) = 0x312c9e90000
close(3)                                = 0
brk(NULL)                               = 0x40bd3cd000
brk(0x40bd3ee000)                       = 0x40bd3ee000
lstat("/opt", {st_mode=S_IFDIR|0755, st_size=64, ...}) = 0
lstat("/opt/torchroot", {st_mode=S_IFDIR|0755, st_size=85, ...}) = 0
chroot("/opt/torchroot/")               = 0
chdir("/")                              = 0
execve("/usr/bin/tor", ["/usr/bin/tor"], 0x391c2d27e28 /* 20 vars */) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory)
write(2, "chroot: ", 8chroot: )                 = 8
write(2, "failed to run command '/usr/bin/"..., 36failed to run command '/usr/bin/tor') = 36
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": No such file or directory", 27: No such file or directory) = 27
write(2, "\n", 1
)                       = 1
close(1)                                = 0
close(2)                                = 0
exit_group(127)                         = ?
+++ exited with 127 +++


And, the file it is trying to access...
Code:
file /opt/torchroot/usr/bin/tor
/opt/torchroot/usr/bin/tor: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13485

PostPosted: Sun Aug 27, 2017 12:47 am    Post subject: Reply with quote

Your chroot script is truncated in the pastebin. Does /opt/torchroot/lib64/ld-linux-x86-64.so.2 exist (after resolving symlinks) and point to a valid interpreter (likely a copy of the libc loader)?
Back to top
View user's profile Send private message
toofied
n00b
n00b


Joined: 26 Oct 2016
Posts: 22

PostPosted: Sun Aug 27, 2017 2:44 am    Post subject: Reply with quote

Thanks for the tip, my symlink was broken. I've fixed the script and now everything is working fine. Pasting it here below so others can use it if they want.

Code:

#!/bin/bash
# torchroot generate script
export TORCHROOT=/opt/torchroot

mkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib

ln -s /usr/lib  $TORCHROOT/lib
# Replace this line if you want to copy your own torrc instead of the one provided by hardened script.
cp /opt/tor-hardened-scripts/torrc-hardened       $TORCHROOT/etc/tor/

cp /usr/bin/tor         $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/ld-linux-*.so* $TORCHROOT/usr/lib/
cp /lib/libnss* /lib/libnsl* /lib/libresolv* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/
cp -r /var/lib/tor      $TORCHROOT/var/lib/
chown -R tor:tor $TORCHROOT/var/lib/tor

sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"

mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3

if [[ "$(uname -m)" == "x86_64" ]]; then
  cp /lib64/ld-linux-*.so* $TORCHROOT/usr/lib/
  ln -s /usr/lib ${TORCHROOT}/lib64
  #ln -sr ${TORCHROOT}/usr/lib ${TORCHROOT}/lib
  #ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fi
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum