Chroot

Chroot is a function commonly found in UNIX and Linux operating systems. Preventing malicious users from exploiting vulnerabilities in the daemons or services running on these platforms is chroot’s primary goal. Users accessing services that have been chrooted are placed into subdirectories underneath the root “/” filesystem. The chroot directory is also known as the chroot jail because it prevents users from accessing files outside of the designated jail.

BTW — personal home web site is chroot Linux

My personal choice is to protect my Linux box from geek/hacker (like me), so my home web site is pure chroot …

  • … web site on a external drive with only need-to-have binaries copied from Linux (big white power switch)
  • … NEVER any compiliers inside my production chroot (opinion … no compilers accessible on production machine)
  • … make sure NEVER public access to anything inside chroot file system (of course)
  • … so on

On IBM i, tough for admins to get “copies” of PASE binaries working in chroot jail along with ILE elements, but iASPs can help out ( IASP ).

BTW — if you are wondering … NO … i did not chroot protect this Yips machine, because this is educational example driven machine, we are trusting you, so please don’t bother hacking this machine and we can keep providing cool info/examples.

Not all roses with PASE chroot …

Readers should know that some PASE runtime and/or utilities fail in a chroot environment. chroot blocks visibility to anything mounted at the system root, which includes the /QSYS.LIB file system and the /usr file systems. Without /QSYS.LIB, anything that tries to access objects in that file system using IFS interfaces will fail. The only reason PASE can find/use anything in that file system is that legacy (non-IFS) interfaces do direct lookup in libraries (using the RSLSP instruction), but some PASE runtime/utilties relies on IFS access to QSYS.LIB objects.

A couple of examples:

 > /QOpenSys/usr/bin/Rfile -r /QSYS.LIB/QGPL.LIB/QTXTSRC.FILE/TEST.MBR
   This is a test
   $
 > chroot /QOpenSys /usr/bin/Rfile -r /QSYS.LIB/QGPL.LIB/QTXTSRC.FILE/TEST.MBR
   $    <<< Note file was not found so no data was read

The "PASE" utility /QOpenSys/usr/bin/ipcs is really just a script that tries to run the /usr/bin/ipcs QShell utility.  
In a chroot environment, that isn't possible...

>  /usr/bin/ipcs
... output here (works fine) ...
 > chroot /QOpenSys /usr/bin/ipcs
   IOT/Abort trap
   $

This "weakness" is a major reason why I seldom mention/recommend use of chroot for PASE applications (or any applications on IBM i).

Note: George Timms -- lead guru IBM i PASE

Example: Using chroot on the System i to Restrict ssh, sftp, and scp to Specific Directories

PASE/IBM shipped chroot script, “good model” for any wishing to jump into DIY security by PASE chroot (see chroot_setup_script.sh ) …

  • Step 1 - verify that the chroot directory does not yet exist
  • Step 2 - verify that the userid to be changed exists
  • Step 5 - create QOpenSys/usr symlink
  • Step 3 - create chroot directories
  • Step 4 - set directory permissions
  • Step 6 - copy binaries and libraries
    • Why chroot within /QOpenSys and not just /ANYWHERE on IBM i IFS ???
    • for i in /usr/lib/libc.a /usr/lib/libC.a
      • … /QOpenSys is a case sensitive directory on IBM i
      • … any chroot under /QOpenSys will also be case sensitive
      • … thereby PASE loader can understand critical difference between ‘libc.a’ and ‘libC.a’ in chroot location
        • (not to mention chroot_setup_script.sh would copy one over the other during script run … boom … end of story)
  • Step 7 - create necessary devices
  • Step 8 - change ownership
  • Step 9 - change home directory of chroot user to enable chroot at ssh connection
  • Note (IBM): Modification of the chroot script is not handled under Support Line. If the customer needs help modifying the script, they will have to enter into a Consult Line agreement.
============
chroot_setup_script.sh -- shipped by PASE for OpenSSH component
============
> cat /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/sbin/chroot_setup_script.sh
cat: cannot open /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/sbin/chroot_setup_script.sh
> cat /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/sbin/chroot_setup_script.sh
#!/QOpenSys/usr/bin/ksh


##############################################################################
### Example script to setup chroot environment on IBM i
###
### Version   1.0 20081028
### Version 6.1.1 20100526
###
###
### IBM grants you a nonexclusive copyright license to use all programming
### code examples from which you can generate similar function tailored to
### your own specific needs.
###
### SUBJECT TO ANY STATUTORY WARRANTIES WHICH CANNOT BE EXCLUDED, IBM,
### ITS PROGRAM DEVELOPERS AND SUPPLIERS MAKE NO WARRANTIES OR CONDITIONS
### EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED
### WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
### PURPOSE, AND NON-INFRINGEMENT, REGARDING THE PROGRAM OR TECHNICAL
### SUPPORT, IF ANY.
###
### UNDER NO CIRCUMSTANCES IS IBM, ITS PROGRAM DEVELOPERS OR SUPPLIERS
### LIABLE FOR ANY OF THE FOLLOWING, EVEN IF INFORMED OF THEIR POSSIBILITY:
###
### LOSS OF, OR DAMAGE TO, DATA;
### DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES, OR FOR ANY ECONOMIC
### CONSEQUENTIAL DAMAGES; OR
### LOST PROFITS, BUSINESS, REVENUE, GOODWILL, OR ANTICIPATED SAVINGS.
### SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT,
### INCIDENTAL, OR CONSEQUENTIAL DAMAGES, SO SOME OR ALL OF THE ABOVE
### LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU.
###
##############################################################################

# directory that will be created and used as the chroot root "/" directory
CHRDIR=/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/chroot

# log file
LOGFILE=/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/chroot_config.log

# (optional) userid to change home directory to trigger ssh chroot access
CHRUSR=$1

DTE=$(date)

echo "" >> $LOGFILE 2>&1
echo "$DTE" >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1
echo "Starting configuration of chroot environment. chroot-dir = $CHRDIR" >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1


# Step 1 - verify that the chroot directory does not yet exist
echo "" >> $LOGFILE 2>&1
echo "########## STEP 1 ##########" >> $LOGFILE 2>&1
echo "########## STEP 1 ##########"
echo "Verify that the chroot-dir does not yet exist" >> $LOGFILE 2>&1
echo "Verify that the chroot-dir does not yet exist"
if [ -d $CHRDIR ] || [ -f $CHRDIR ] || [ -h $CHRDIR ]
then
    echo "Error: chroot-dir $CHRDIR already exists" >> $LOGFILE 2>&1
    echo "Error: chroot-dir $CHRDIR already exists"
    exit 1
fi


# Step 2 - verify that the userid to be changed exists
echo "" >> $LOGFILE 2>&1
echo "########## STEP 2 ##########" >> $LOGFILE 2>&1
echo "########## STEP 2 ##########"
echo "If specified, verify that the user profile to be changed to ssh chroot access exists" >> $LOGFILE 2>&1
echo "If specified, verify that the user profile to be changed to ssh chroot access exists"
if [ "$CHRUSR" ]
then
    # translate CHRUSR to all lowercase
    CHRUSR=`echo $CHRUSR | /QOpenSys/usr/bin/tr '[A-Z]' '[a-z]'`
    if PASE_USRGRP_LIMITED=N /QOpenSys/usr/bin/id $CHRUSR > /dev/null 2>&1
    then
        :
    else
        echo "Error: chroot user profile $CHRUSR does not exist" >> $LOGFILE 2>&1
        echo "Error: chroot user profile $CHRUSR does not exist"
        exit 2
    fi
fi


# Step 3 - create chroot directories
echo "" >> $LOGFILE 2>&1
echo "########## STEP 3 ##########" >> $LOGFILE 2>&1
echo "########## STEP 3 ##########"
echo "Making necessary directories in chroot-dir" >> $LOGFILE 2>&1
echo "Making necessary directories in chroot-dir"
echo "home, home/<user>, dev, dev/pts, usr/bin/X11, usr/sbin, usr/lib, QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec and QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/etc will be created" >> $LOGFILE 2>&1
for i in home dev/pts usr/bin/X11 usr/sbin usr/lib QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/etc
do
    /QOpenSys/usr/bin/mkdir -p $CHRDIR/$i
    echo ".\c"
done
if [ "$CHRUSR" ]
then
    /QOpenSys/usr/bin/mkdir $CHRDIR/home/$CHRUSR
    echo ".\c"
fi
echo ""


# Step 4 - set directory permissions
echo "" >> $LOGFILE 2>&1
echo "########## STEP 4 ##########" >> $LOGFILE 2>&1
echo "########## STEP 4 ##########"
echo "Make sure that the permissions on all the files created inside the chrooted directory"  >> $LOGFILE 2>&1
echo "are same as the one for the original directories" >> $LOGFILE 2>&1
echo ""  >> $LOGFILE 2>&1
echo "chmod -R 0755 chroot-dir"  >> $LOGFILE 2>&1
/QOpenSys/usr/bin/chmod -R 0755 $CHRDIR


# Step 5 - create QOpenSys/usr symlink
echo "" >> $LOGFILE 2>&1
echo "########## STEP 5 ##########" >> $LOGFILE 2>&1
echo "########## STEP 5 ##########"
echo "Create QOpenSys/usr symlink inside the chroot-dir directory"  >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1
echo "ln -s ../usr chroot-dir/QOpensys/usr"  >> $LOGFILE 2>&1
/QOpenSys/usr/bin/ln -s ../usr $CHRDIR/QOpenSys/usr


# Step 6 - copy binaries and libraries
echo "" >> $LOGFILE 2>&1
echo "########## STEP 6 ##########" >> $LOGFILE 2>&1
echo "########## STEP 6 ##########"
echo "Copying example binaries and libraries to the chroot environment"
echo "" >> $LOGFILE 2>&1
echo "This script is an example script only!" >> $LOGFILE 2>&1
echo "Thus, only a few binaries and the necessary libraries are copied to the chroot environment." >> $LOGFILE 2>&1
echo "If you need additional binaries you will have to copy them manually to the chroot directories or adapt this script. " >> $LOGFILE 2>&1
echo "Remember to check for any requisite libaries with the dump command and copy them to the chroot environment as well." >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1
echo "The following binaries and libraries have been copied to the chroot directory:" >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1

for i in execerror sh bsh ksh cd pwd ls mkdir rmdir rm cp cat xauth
do
/QOpenSys/usr/bin/cp -p `which $i` $CHRDIR`which $i`
/QOpenSys/usr/bin/ls -al $CHRDIR`which $i` >> $LOGFILE 2>&1
echo ".\c"
done

for i in /usr/lib/libc.a /usr/lib/libpthreads.a /usr/lib/libiconv.a /usr/lib/libcrypt.a /usr/lib/libcrypto.a /usr/lib/libX11.a /usr/lib/libXext.a /usr/lib/libIM.a /usr/lib/libICE.a /usr/lib/libXi.a /usr/lib/libSM.a /usr/lib/libgaimisc.a /usr/lib/libgair4.a /usr/lib/libC.a /usr/lib/libz.a
do
    /QOpenSys/usr/bin/cp -p $i $CHRDIR$i
    /QOpenSys/usr/bin/ls -al $CHRDIR$i >> $LOGFILE 2>&1
    echo ".\c"
done

/QOpenSys/usr/bin/cp -p /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/etc/sshd_config $CHRDIR/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/etc/sshd_config
/QOpenSys/usr/bin/ls -al $CHRDIR/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/etc/sshd_config >> $LOGFILE 2>&1
echo ".\c"

/QOpenSys/usr/bin/cp -p /QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec/sftp-server $CHRDIR/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec/sftp-server
/QOpenSys/usr/bin/ls -al $CHRDIR/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.8.1p1/libexec/sftp-server >> $LOGFILE 2>&1
echo ""


# Step 7 - create necessary devices
echo "" >> $LOGFILE 2>&1
echo "########## STEP 7 ##########" >> $LOGFILE 2>&1
echo "########## STEP 7 ##########"
echo "Necessary devices will be created in the chroot environment" >> $LOGFILE 2>&1
echo "Necessary devices will be created in the chroot environment"
echo "" >> $LOGFILE 2>&1

/QOpenSys/usr/sbin/mknod $CHRDIR/dev/tty c 32945 0
echo ".\c"
/QOpenSys/usr/sbin/mknod $CHRDIR/dev/null c 32769 1
echo ".\c"
/QOpenSys/usr/sbin/mknod $CHRDIR/dev/zero c 32769 2
echo ".\c"
i=0
while [ $i -lt 10 ]
do
    /QOpenSys/usr/sbin/mknod $CHRDIR/dev/pts/$i c 32947 $i
    ((i=i+1))
    echo ".\c"
done

for i in zero null tty
do
    /QOpenSys/usr/bin/chmod 0666 $CHRDIR/dev/$i
    echo ".\c"
done

/QOpenSys/usr/bin/chmod 0666 $CHRDIR/dev/pts/*

echo "The following devices have been configured within your chroot environment:">> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1
for i in zero null tty
do
    /QOpenSys/usr/bin/ls -al $CHRDIR/dev/$i >> $LOGFILE 2>&1
    echo ".\c"
done

i=0
while [ $i -lt 10 ]
do
    /QOpenSys/usr/bin/ls -al $CHRDIR/dev/pts/$i >> $LOGFILE 2>&1
    ((i=i+1))
    echo ".\c"
done
echo ""


# Step 8 - change ownership
echo "" >> $LOGFILE 2>&1
echo "########## STEP 8 ##########" >> $LOGFILE 2>&1
echo "########## STEP 8 ##########"
echo "Change ownership of files in chroot environment:">> $LOGFILE 2>&1
echo ""  >> $LOGFILE 2>&1
echo "chown -Rh qsys chroot-dir"  >> $LOGFILE 2>&1
/QOpenSys/usr/bin/chown -Rh qsys $CHRDIR
if [ "$CHRUSR" ]
then
    echo "chown $CHRUSR chroot-dir/home/$CHRUSR"  >> $LOGFILE 2>&1
    PASE_USRGRP_LIMITED=N /QOpenSys/usr/bin/chown $CHRUSR $CHRDIR/home/$CHRUSR >> $LOGFILE 2>&1
fi


# Step 9 - change home directory of chroot user to enable chroot at ssh connection
echo "" >> $LOGFILE 2>&1
echo "########## STEP 9 ##########" >> $LOGFILE 2>&1
echo "########## STEP 9 ##########"
echo "If specified, change user profile home directory to enable chroot ssh connection:">> $LOGFILE 2>&1
echo "If specified, change user profile home directory to enable chroot ssh connection"
echo ""  >> $LOGFILE 2>&1
echo "system CHGUSRPRF USRPRF($CHRUSR) HOMEDIR('chroot-dir/./home/$CHRUSR')"  >> $LOGFILE 2>&1
if [ "$CHRUSR" ]
then
    /QOpenSys/usr/bin/system "CHGUSRPRF USRPRF($CHRUSR) HOMEDIR('$CHRDIR/./home/$CHRUSR')" >> $LOGFILE 2>&1
fi


echo "" >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1
echo "########## FINISH ##########" >> $LOGFILE 2>&1
echo "########## FINISH ##########"
echo "" >> $LOGFILE 2>&1
echo "Configuration of the following chroot environment has completed: " >> $LOGFILE 2>&1
echo "Configuration of chroot environment has completed"
/QOpenSys/usr/bin/find $CHRDIR -ls >> $LOGFILE
echo ""
echo "A log file $LOGFILE was created for reference if needed."
echo "" >> $LOGFILE 2>&1
echo "" >> $LOGFILE 2>&1
echo ""
echo ""
exit

>

Author(s)

Tony “Ranger” Cairns - IBM i PHP / PASE