Editing BZFS in a chroot jail

Jump to: navigation, search

Warning: The database has been locked for maintenance, so you will not be able to save your edits right now. You may wish to copy and paste your text into a text file and save it for later.

The administrator who locked it offered this explanation: Server migration

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
BZFS in a chroot jail is a concept where a [[BZFS]] server is run on a host computer in a very secure environment, preventing it from having access to any other parts of the host system.
+
== Introduction ==
  
==Overview==
+
The purpose of this doc is to show how to install the BZFLAG Server (bzfs) in a ‘sandbox’ or a ‘jail’ on Linux by using the features provided with chroot. For general information on setting up a server see [[Creating_A_Server]].
Installing the BZFLAG Server (bzfs) in a ‘sandbox’ or a ‘jail’ on Linux by using the features provided with chroot is an advanced method for setting up a server. It offers additional security for the hosting server. For general information on setting up a server see [[Creating A Server]].
+
  
This method has been tested on Redhat 8 and 9 systems. Other Linux distributions should work in a similar manner.
+
This has been tested on Redhat 8 and 9 systems, although it should be fairly similar, if not identical on other Linux distributions.
  
==Background==
+
If when you read it you see some errors or had some issues not mentioned in here and have the answers to them, you can e-mail me or create a new section at the end with the updates (after my signature - and sign the updates yourself so I know whom to credit if the new info gets merged). I can always merge them into the doc or create a new section (keeping the credits of course) for smoother reading at later date.
Before attempting to set up BZFS in a chroot jail it is best to have a little background in using the chroot command. The best place to start is reading the man page
+
man chroot
+
but the basic concept is to run a program in a directory and force it to think that it is the root (the top) of the filesystem (the ‘sandbox’ or ‘jail’), so that if the application was ever compromised, only it’s folder would be accessible to the attacker and not the entire filesystem. User root, or any program with root privileges can break out of a chroot jail. Users should be ware that a badly configured chroot jail might even be a larger security problem then not running one. The application jk_check from http://olivier.sessink.nl/jailkit does checks to verify if your chroot jail is safe.
+
  
Before a program can be run in a jail, the user must make sure that the program has all dependencies that it may need. This means creating a smaller copy of the root filesystem so that the program can access the files that it needs, and knows where to find them. This means that if a program requires a library in /lib, then we will need a lib directory with those libraries in our jail. (if this is confusing – hang in there, you will see an example below).
+
OK - let's get started...
  
 +
== Background ==
 +
 +
Before we begin, a little background in using the chroot command is needed. The best place to start is reading the man page (''man chroot''), but basically the concept is to run a program in a folder and force the program to think that it is the root (the top) of the filesystem (the ‘sandbox’ or ‘jail’), so that if the application was ever compromised (like the shell access vulnerability scare that went around for bzfs a little while ago), only it’s folder would be accessible to the attacker and not the entire filesystem. User root, or any program with root privileges can break out of a chroot  jail. And beware, a badly configured chroot jail might even be a security problem! jk_check from jailkit (http://olivier.sessink.nl/jailkit) does check if your chroot jail is safe.
 +
 +
Before we can run a program in a jail, we have to make sure that it has everything it needs to run, and this means creating a mini root filesystem so that the program can access the files that it needs, and knows where to find them. This means that if a program requires a library in /lib, then we will need a lib directory with those libraries in our jail. (if this is confusing – hang in there, you will see an example below).
 +
 +
 
== Just tell me how to do it!! ==
 
== Just tell me how to do it!! ==
  
Line 134: Line 137:
 
== More Security ==
 
== More Security ==
  
Since you have to execute chroot as root, bzfs will run as root – which is not what we want. We can force bzfs to run as nobody by changing his ownership to nobody, and setting the SUID bit on him. This way, when root executes /chroot/bzflag/bin/bzfs – it is executed as nobody, and therefore has very little privileges on the system.  
+
Since you have to execute chroot as root, bzfs will run as root – which is not what we want. We can force bzfs to run as nobody by changing his ownership to nobody, and setting the sticky bit on him. This way, when root executes /chroot/bzflag/bin/bzfs – it is executed as nobody, and therefore has very little privileges on the system.  
  
 
This is how we do that:
 
This is how we do that:
Line 190: Line 193:
 
I also keep all my (not mine, but the ones I downloaded :) ) in a map dir like: /chroot/bzflag/maps  
 
I also keep all my (not mine, but the ones I downloaded :) ) in a map dir like: /chroot/bzflag/maps  
  
You may want to create some startup scripts that start your server up automatically in case it reboots. I use a separate rc file for this for simplicity. One could create an init script and then use chkconfig to call it in rc3.d, but I am lazy and haven’t done that.
+
You may want to create some startup scripts that start your server up automatically in case it reboots. I use a separate rc file for this for simplicity. One could create an init script and then use chkconfig to call it in rc3.d, but I am lazzy and haven’t done that.
  
 
I simply declared in my rc.local (which is loaded last anyways and as such all network systems will be available when it is called) to execute rc.bzfs which I have in /etc/rc.d/rc.bzfs.
 
I simply declared in my rc.local (which is loaded last anyways and as such all network systems will be available when it is called) to execute rc.bzfs which I have in /etc/rc.d/rc.bzfs.
Line 208: Line 211:
 
I hope this is useful to people out there, as a bit of time went into it to figure out just which files are needed to run bzfs in a jail. I started out with the entire /lib copied over, and got it working with the minimal files listed above.
 
I hope this is useful to people out there, as a bit of time went into it to figure out just which files are needed to run bzfs in a jail. I started out with the entire /lib copied over, and got it working with the minimal files listed above.
  
 +
See you out there
  
==See also==
+
Quol (quolsimo@hotmail.com)
[[BZFS]]
+
 
+
==External Links==
+
http://olivier.sessink.nl/jailkit
+
 
+
[[Category:Server]]
+
[[Category:Server Security]]
+
[[Category:Tutorials]]
+

Please note that all contributions to BZFlagWiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see BZFlagWiki:Copyrights for details). Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel | Editing help (opens in new window)