To add extract security on chroot environment, it's better to make the /tmp directory cannot execute a file by mounting /tmp with 'noexec' and 'nosuid' options.
Create Partiotion
To simplify just create loopback device file for mounting /tmp later. (The size of partition for this example is 50MB)- /opt/jail: chroot directory
- /opt/tmpdisk.img: loopback device
# dd if=/dev/zero of=/opt/tmpdisk.img bs=1M count=50 # mkfs.ext4 /opt/tmpdisk.img # mount -o loop,rw,noexec,nosuid /opt/tmpdisk.img /opt/jail/tmpVerify to make sure the mounted partition has 'noexec' and 'nosuid'.
# mount ----[SNIP]---- /opt/tmpdisk.img on /opt/jail/tmp type ext4 (rw,noexec,nosuid,commit=0) ----[SNIP]----
Test the /tmp
Try to execute some of executable file inside /tmp directory.# cp /opt/jail/bin/ls /opt/jail/tmp/ # chroot /opt/jail /bin/bash
# /bin/ls # /tmp/ls bash: /tmp/ls: Permission denied # /lib/ld-linux.so.2 /tmp/ls /tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment from shared object: Operation not permittedReferences
0 comments:
Post a Comment