[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] /usr/sbin/compartment fails to chroot for non-root user



I'm trying to build a chroot jail for ssh for a user (called update), using
/usr/sbin/compartment.

The /etc/passwd entry for user "update" looks like this:
update:x:5000:65534:Update User:/home/update:/bin/compart.jail

/bin/compart.jail reads:

  #!/bin/bash
  strace -v -s 250 -ff -F -qix -o problem /usr/sbin/compartment --chroot
/home/update.jail /bin/bash

(That strace call is just there for debugging, of course...)

* `su update` (the user) fails with the error
  "Error chrooting to /home/update.jail"
* Any non-root user running `/usr/sbin/compartment --chroot
/home/update.jail /bin/bash` fails with the same error.
* Root _can_ run this file, and ends up in jail.

Looking at the file "problem" that strace creates tells me that:
<snip>
[400e10cd] chroot("/home/update.jail")  = -1 EPERM (Operation not permitted)
[400e0702] brk(0x804f000)               = 0x804f000
[400dae34] write(2, "Error chrooting to /home/update.jail\n", 37) = 37
[400e0702] brk(0x8052000)               = 0x8052000
[400ace5d] time([1074677991])           = 1074677991
<snip>

(The rest of the file can be given, of course)

Okay, now if the user tries to simply `chroot /home/update.jail`, he gets
the error:
"chroot: cannot change root directory to /home/update.jail: Operation not
permitted"

The permissions on the directory /home/update.jail look like this:
   0 drwxrwxrwx    7 update   nogroup       224 2004-01-21 09:38 .
   0 drwxr-xr-x    9 root     root          216 2004-01-20 16:19 ..
   4 -rw-------    1 update   nogroup        45 2004-01-21 09:39
.bash_history
   0 drwxr-xr-x    2 update   nogroup       240 2004-01-21 08:54 bin
   0 drwxr-xr-x    2 update   nogroup        96 2004-01-20 16:00 dev
   0 drwxr-xr-x    2 update   nogroup       128 2004-01-21 09:08 etc
   1 drwxr-xr-x    3 update   nogroup       568 2004-01-21 09:20 lib
 112 -rw-r--r--    1 update   nogroup    113188 2004-01-21 09:39 problem
   0 drwxr-xr-x    4 update   nogroup        96 2004-01-20 15:02 usr


I don't think the update user's home direstory of /home/update makes a
difference, I've changed it without any effect.

I think I could probably use sudo to give update the ability to use chroot,
but then I have a chroot user with slightly higher privs than is ideal.

Any ideas on how to solve this?

Tom.










---------------
Tom Knight
System Administration Officer
Arts & Humanities Data Service
Web:     http://www.ahds.ac.uk
Email:   tom.knight@xxxxxxxxxx
Tel:     (0)20 7928 7371


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here