This wiki is archived and useful information is being migrated to the main bzflag.org website
Editing BZFS in a chroot jail
Warning: The database has been locked for maintenance, so you will not be able to save your edits right now. You may wish to copy and paste your text into a text file and save it for later.
The administrator who locked it offered this explanation: Archived wiki
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | + | == Introduction == | |
− | + | The purpose of this doc is to show how to install the BZFLAG Server (bzfs) in a ‘sandbox’ or a ‘jail’ on Linux by using the features provided with chroot. For general information on setting up a server see [[Creating_A_Server]]. | |
− | + | ||
− | This | + | This has been tested on Redhat 8 and 9 systems, although it should be fairly similar, if not identical on other Linux distributions. |
− | + | If when you read it you see some errors or had some issues not mentioned in here and have the answers to them, you can e-mail me or create a new section at the end with the updates (after my signature - and sign the updates yourself so I know whom to credit if the new info gets merged). I can always merge them into the doc or create a new section (keeping the credits of course) for smoother reading at a later date. | |
− | + | ||
− | + | ||
− | + | ||
− | + | OK - let's get started... | |
+ | == Background == | ||
+ | |||
+ | Before we begin, a little background in using the chroot command is needed. The best place to start is reading the man page (<code>man chroot</code>), but basically the concept is to run a program in a folder and force the program to think that it is the root (the top) of the filesystem (the ‘sandbox’ or ‘jail’), so that if the application was ever compromised (like the shell access vulnerability scare that went around for bzfs a little while ago), only it’s folder would be accessible to the attacker and not the entire filesystem. User root, or any program with root privileges can break out of a chroot jail. And beware, a badly configured chroot jail might even be a security problem! jk_check from jailkit (http://olivier.sessink.nl/jailkit) does check if your chroot jail is safe. | ||
+ | |||
+ | Before we can run a program in a jail, we have to make sure that it has everything it needs to run, and this means creating a mini root filesystem so that the program can access the files that it needs, and knows where to find them. This means that if a program requires a library in /lib, then we will need a lib directory with those libraries in our jail. (if this is confusing – hang in there, you will see an example below). | ||
+ | |||
+ | |||
== Just tell me how to do it!! == | == Just tell me how to do it!! == | ||
Line 134: | Line 137: | ||
== More Security == | == More Security == | ||
− | Since you have to execute chroot as root, bzfs will run as root – which is not what we want. We can force bzfs to run as nobody by changing his ownership to nobody, and setting the | + | Since you have to execute chroot as root, bzfs will run as root – which is not what we want. We can force bzfs to run as nobody by changing his ownership to nobody, and setting the sticky bit on him. This way, when root executes /chroot/bzflag/bin/bzfs – it is executed as nobody, and therefore has very little privileges on the system. |
This is how we do that: | This is how we do that: | ||
Line 208: | Line 211: | ||
I hope this is useful to people out there, as a bit of time went into it to figure out just which files are needed to run bzfs in a jail. I started out with the entire /lib copied over, and got it working with the minimal files listed above. | I hope this is useful to people out there, as a bit of time went into it to figure out just which files are needed to run bzfs in a jail. I started out with the entire /lib copied over, and got it working with the minimal files listed above. | ||
+ | See you out there | ||
− | + | Quol (quolsimo@hotmail.com) | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
[[Category:Server]] | [[Category:Server]] | ||
− | [[Category: | + | [[Category:Support]] |
− | + |