Hi,
As per chroot privilege setup, chroot must be called by root user. But our application requires one more normal user to call chroot very badly . Is there any Grsec chroot config parameter to help me out of this ? Any other suggestion would be helpful.
Thanks,
Jai
To run chroot under normal user.
4 posts
• Page 1 of 1
To run chroot under normal user.
by gazolinia » Mon Mar 22, 2010 2:17 am
- gazolinia
- Posts: 8
- Joined: Wed Feb 10, 2010 1:32 am
Re: To run chroot under normal user.
by cormander » Mon Mar 22, 2010 10:01 am
No way with grsecurity to do this.
You need to be root to do this. You could create a suid binary that gets root, does the chroot, and then drops back down to the previous user's privileges. If you need something more persistent than that (ie; sub processes need to call chroot), then you can instead have the suid binary get root, drop all capabilities except CAP_SYS_CHROOT, and drop back down to the user privileges. That will make that process (and any sub-process, I believe) able to make the chroot system call without being root.
Or there might be another way to add a capability (CAP_SYS_CHROOT) to a binary, process, or user, with some of the libcap userspace utilities (setpcaps, sucap, etc) but I'm not aware of how to do this for your situation.
You need to be root to do this. You could create a suid binary that gets root, does the chroot, and then drops back down to the previous user's privileges. If you need something more persistent than that (ie; sub processes need to call chroot), then you can instead have the suid binary get root, drop all capabilities except CAP_SYS_CHROOT, and drop back down to the user privileges. That will make that process (and any sub-process, I believe) able to make the chroot system call without being root.
Or there might be another way to add a capability (CAP_SYS_CHROOT) to a binary, process, or user, with some of the libcap userspace utilities (setpcaps, sucap, etc) but I'm not aware of how to do this for your situation.
- cormander
- Posts: 154
- Joined: Tue Jan 29, 2008 12:51 pm
Re: To run chroot under normal user.
by gazolinia » Wed Mar 24, 2010 5:49 am
Very much thanks for your support. I guess adding CAP_SYS_CHROOT capability to my user must solve my problem . But googling around on how to do this doesn't yield any good result. If possible can you please guide me to the solution of adding this capability to my user !. Thanks in advance.
- gazolinia
- Posts: 8
- Joined: Wed Feb 10, 2010 1:32 am
Re: To run chroot under normal user.
by cormander » Wed Mar 24, 2010 10:06 am
I did some searching and found a pam_capability module. I compiled it on my system (centos 5) and the module in debug mode says it's successful, and I also see this output:
$ /usr/sbin/getpcaps $$
Capabilities for `5841': = cap_sys_chroot+i
But trying to do the chroot syscall didn't actually work. Not sure why yet. I found the code on google code:
http://code.google.com/p/pamcap/
It hasn't been updated since September 2002, and says it has only been tested on 2.4 kernels. If I have time tonight I'll take a deeper look into this.
$ /usr/sbin/getpcaps $$
Capabilities for `5841': = cap_sys_chroot+i
But trying to do the chroot syscall didn't actually work. Not sure why yet. I found the code on google code:
http://code.google.com/p/pamcap/
It hasn't been updated since September 2002, and says it has only been tested on 2.4 kernels. If I have time tonight I'll take a deeper look into this.
- cormander
- Posts: 154
- Joined: Tue Jan 29, 2008 12:51 pm
4 posts
• Page 1 of 1