나는 chroot 감옥을 생성하는 스크립트를 작성하려고 합니다(이를 위한 도구가 있다는 것을 알고 있지만 경험을 위해 여기에 있으므로 도구를 권장하지 마십시오). 감옥에서 실행하고 싶은 명령을 찾고, 해당 명령의 종속성을 찾고, 심볼릭 링크를 따라가며, 모든 것을 감옥에 복사하는 스크립트가 있습니다. Python에만 적용되는 스크립트 설정입니다.
executables="
python
"
for exe in $executables
do
# move the executable
echo Executable: $exe
exe_path=`which $exe`
echo READLINK -f $exe_path
exe_true_path=`readlink -f $exe_path`
exe_dir=`echo $exe_path | grep -o '/.*/'`
mkdir -p $1$exe_dir
cp -L $exe_true_path $1$exe_path
# get the libs for this exe
libs=`ldd $exe_true_path | grep -o '/[^()]*'`
# move each lib
for lib in $libs
do
echo Library: $lib
lib_path=$lib
lib_true_path=`readlink -f $lib_path`
lib_dir=`echo $lib_path | grep -o '/.*/'`
echo MKDIR $1$lib_path
mkdir -p $1$lib_path
echo CP $lib_true_path $1$lib_path
cp -L $lib_true_path $1$lib_path
done
done
꽤 괜찮아 보이는데...
$ tree .
.
+-- lib
¦ +-- x86_64-linux-gnu
¦ +-- libc.so.6
¦ ¦ +-- libc-2.13.so
¦ +-- libdl.so.2
¦ ¦ +-- libdl-2.13.so
¦ +-- libgcc_s.so.1
¦ ¦ +-- libgcc_s.so.1
¦ +-- libm.so.6
¦ ¦ +-- libm-2.13.so
¦ +-- libpthread.so.0
¦ ¦ +-- libpthread-2.13.so
¦ +-- libutil.so.1
¦ ¦ +-- libutil-2.13.so
¦ +-- libz.so.1
¦ +-- libz.so.1.2.7
+-- lib64
¦ +-- ld-linux-x86-64.so.2
¦ +-- ld-2.13.so
+-- usr
+-- bin
+-- python
그런데 실제로 이 감옥에서 Python을 실행하면 권한 오류가 발생합니다.
$ sudo chroot chroot12/ python --version
chroot: failed to run command `python': Permission denied
권한을 활성화한 후에도 오류가 발생합니다.
$ chmod -R 777 chroot12/
$ sudo chroot chroot12/ python --version
chroot: failed to run command `python': Permission denied
이 문제의 원인은 무엇입니까? 이러한 오류가 발생하기 시작한 것은 다음 링크를 소개하기 전까지는 아니었지만 불행히도 비교할 이전 버전의 스크립트가 없습니다.
미리 감사드립니다!
추적 출력
$ sudo strace -f chroot chroot12 python --version
execve("/usr/sbin/chroot", ["chroot", "chroot12", "python", "--version"], [/* 14 vars */]) = 0
brk(0) = 0x11f1000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f926000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26406, ...}) = 0
mmap(NULL, 26406, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f329f91f000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0
mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f329f37e000
mprotect(0x7f329f500000, 2093056, PROT_NONE) = 0
mmap(0x7f329f6ff000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7f329f6ff000
mmap(0x7f329f704000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f329f704000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f91e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f91d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f91c000
arch_prctl(ARCH_SET_FS, 0x7f329f91d700) = 0
mprotect(0x7f329f6ff000, 16384, PROT_READ) = 0
mprotect(0x607000, 4096, PROT_READ) = 0
mprotect(0x7f329f928000, 4096, PROT_READ) = 0
munmap(0x7f329f91f000, 26406) = 0
brk(0) = 0x11f1000
brk(0x1212000) = 0x1212000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1534672, ...}) = 0
mmap(NULL, 1534672, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f329f7a5000
close(3) = 0
chroot("chroot12") = 0
chdir("/") = 0
execve("/usr/local/sbin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
execve("/usr/local/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
execve("/usr/sbin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
execve("/usr/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 EACCES (Permission denied)
execve("/sbin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
execve("/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "chroot: ", 8chroot: ) = 8
write(2, "failed to run command `python'", 30failed to run command `python') = 30
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": Permission denied", 19: Permission denied) = 19
write(2, "\n", 1
) = 1
close(1) = 0
close(2) = 0
exit_group(126) = ?
답변1
오류를 재현할 수 있는 유일한 방법은 다음과 같습니다.
execve("/usr/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 EACCES (Permission denied)
...ELF 동적 로더를 실행할 수 없게 만듭니다.
이것은 작동합니다:
$ ls -l chroot12/lib64/ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 149280 Oct 30 16:22 chroot12/lib64/ld-linux-x86-64.so.2
다음은 수행되지 않습니다.
$ ls -l chroot12/lib64/ld-linux-x86-64.so.2
-rw-r--r-- 1 root root 149280 Oct 30 16:22 chroot12/lib64/ld-linux-x86-64.so.2
chroot12/lib64/ld-linux-x86-64.so.2실행 권한이 있는지 확인하세요 .