Forum OpenACS Q&A: Anyone running chroot() installation?

Collapse
1: Anyone running chroot() installation?
Posted by Gordon McAllister on 06/29/00 05:40 PM
I have OpenACS running on an OpenBSD 2.7 machine (pg 7.0.2, aolserver
3.0, recent cvs checkout of openacs).  My aolserver installation is
running successfully, chroot()ed in /usr/local/aolserver, but I can
only get openacs to talk to the postmaster over TCP.  My pg data files
are under the aolserver home directory, as are all of the openacs
files.  Does anyone know how to get postmaster to create its socket
anywhere other than /tmp?  I see that this can be done with oracle
since it creates its socket in a /var/tmp/.oracle directory--you just
symlink the .oracle directory to somewhere inside your chroot
environment.  But I don't want to symlink /tmp...  Does anyone have a
similar setup working?  TIA.
Collapse
2: Response to Anyone running chroot() installation? (response to 1)
Posted by John Lin on 07/30/00 02:28 PM
on redhat website, the HOWTO page tells you the exact steps of doing chroot() installation.  I did it for my redhat6.2/Oracle 8.1.6 machine.  Didn't try it for openACS yet.

good luck,

Collapse
3: Response to Anyone running chroot() installation? (response to 1)
Posted by Don Baccus on 07/30/00 03:24 PM
Boy, good question.  This would be a good one to ask over in the appropriate Postgres mailing list.  Check out www.postgresql.org.

You could, of course, custom-build a copy that would put it wherever you want, but that's butt-ugly.  There doesn't seem to be any command-line option to do this, and I can see why you don't want to symlink /tmp proper!  You might suggest to the PG development team that /tmp/postgres or something similar be used rather than just /tmp.

Collapse
4: Response to Anyone running chroot() installation? (response to 1)
Posted by Matthew Braithwaite on 09/26/00 03:40 AM
You are basically screwed with Postgres. You have to use TCP. Just grind your teeth and firewall port 5432, and you're in business.

There are a couple other issues: it helps to have AOLserver statically linked so that it can restart itself. That is, kicking AOLserver (losingly) requires running nsd, and unless all the shared libs are available in your chroot area, you won't be able to do this.

A more insidious problem is ACS's dependence on external programs, such as aolserver-errors.pl. I bet you really wanted to install Perl in your chroot area, huh?

My suggestions for improving the ease of chrooting:

  • Make it possible to restart AOLserver internally, through Tcl, or at least by sending it a SIGHUP. (Maybe this is already possible, but if it is I don't understand why stuff like restart-aolserver exists.
  • Rewrite all the external scripts as Tcl that's loaded by the ACS at startup. I may do aolserver-errors myself in the next few days.
I'd be interested to know if there's any support for making smooth chroot operation of OpenACS an official goal of the project. I think that good defaults have a lot to do with security (as an OpenBSD user you probably agree!), and I think it would be very winning if we got to the point where chroot worked well enough that, e.g., the documentation and installation instructions could assume a chroot installation as the default.

The hitch, of course, is that you have to be root to chroot(2). I've never understood why.

Collapse
5: Response to Anyone running chroot() installation? (response to 1)
Posted by Roberto Mello on 09/26/00 04:23 AM
One of my goals for the next OpenACS documentation update (I couldn't get it in time for 3.2.4 unfortunately) is to include instructions for chroot OpenACS. I don't know how hard it would be but it'll certainly be fun and useful learning.
Collapse
6: Response to Anyone running chroot() installation? (response to 1)
Posted by Lamar Owen on 09/26/00 07:36 PM
First of all, PostgreSQL behind AOLserver does not have to have TCP/IP enabled.  The driver code contains the doc on how to do it -- you use a different datasource, using localhost instead of the actual host name.  But, then again, the TCP/IP method is in a way more secure, as it can be another machine.

And, you don't have to firewall 5432 (you don't _have_ to run postmaster on 5432, either) -- you just configure pg_hba.conf properly, and you're in business.

Although, technically, if your firewall is configured properly, you shouldn't have to firewall off any port -- you do use default deny, right?

Collapse
7: Response to Anyone running chroot() installation? (response to 1)
Posted by Matthew Braithwaite on 09/26/00 08:40 PM
Lamar, I think we have a failure to communicate. Using a Unix domain socket works fine, of course, but AFAIK there is no way to instruct Postmaster to put extra sockets into various chroot areas, as you can with syslogd. This leaves you with using TCP as your only option if you need to be able to talk to postmaster both within and without a chroot area.

I know, also, that postmaster can be given access rules based on source IP address in pg_hba.conf, but postmaster will still listen on INADDR_ANY, meaning that the access control is implemented by somebody connecting and being told by postmaster to go away. My preference is not to let daemons manage their own access control.

Let me know if you know different!

Collapse
8: Response to Anyone running chroot() installation? (response to 1)
Posted by Lamar Owen on 09/28/00 05:53 PM
Run a chrooted postmaster in the same jail as AOLserver.

Use a different PGPORT than your main , and all works well.

Of course, PostgreSQL has its own issues in chroot() mode....

Then again, you can create a hardlink inside the chroot jail to the /tmp dir easily enough.

But, I've found chroot is more trouble than it is really worth -- AOLserver releases privileges properly -- and the AOLserver run user (for me, it's username 'aolserver') shouldn't own or have write privileges to any AOLserver executables or libraries (or tcl libs, for that matter).

Make the nsd executable owned by root, read-execute only.  This kills the majority of the headaches.

It is easier to set up a properly secured, properly permissioned site without chroot using OpenACS than with chroot, IME.  As part of the OpenACS RPM effort I have been trying to get chroot to work, as well, and it is a big-time pain -- particularly the part about perl.

But, if you insist on doing so, that's perfectly fine.

Collapse
9: Response to Anyone running chroot() installation? (response to 1)
Posted by Matthew Braithwaite on 09/28/00 11:56 PM
Then again, you can create a hardlink inside the chroot jail to the /tmp dir easily enough.
Not if /tmp is on a different filesystem from your chroot jail, nor if the file gets deleted and recreated. Both conditions obtain on BSD systems where /tmp is frequently a memory filesystem. I guess there are Linux types who favor the One Big Filesystem school of thought.

I totally disagree with the statement that chroot is more trouble than it's worth. Or at least, I think that if it's true, it should be made less trouble!

A non-chrooted AOLserver, on a typical PC, has access to a zillion setuid programs which will often have well-known security holes, as well as to other fun things like /tmp races. AOLserver is a C program, and I don't trust a C program not to have buffer overflows. Even if the AOLserver authors were perfect, their perfection wouldn't protect them from overflows in libc.

I agree that this is a minor threat for most people. AOLserver isn't widely used enough to make it worth writing a cookie-cutter exploit for it, and any holes found in it won't have the popularity of a hole that can be exploited in 100,000 RedHat boxes. But some breakin attempts aren't opportunistic attempts to find a place from which to do distributed DOS or to run an IRC daemon. Sometimes somebody wants your machine, and is willing to make the effort. And then you want to be protected.

In these cases it would be nice if it weren't gratuitously difficult to do so. Independent of security considerations I think it would be nice to remove the dependence on external scripts. The spirit of AOLserver seems to be very self-contained, to the point of incorporating log rotation internally, and sending mail by connecting to an SMTP server, rather than execing an external MTA, &c.

Collapse
10: Response to Anyone running chroot() installation? (response to 1)
Posted by Lamar Owen on 09/29/00 05:22 PM
Unfortunately, chroot() is breakable on most implementations.  Of course, you have to get root to do so, but, if you can get root you can do anything -- the key is preventing the root exploit.

Of course, you already know that. I'm not telling you anything you don't already know.

As to the Linux One Big Partition, well, you misunderstand, as my Linux system has multiple Big Partitions.... and, yes, I know full well from my Apollo Domain/OS days about the problems with hardlinks -- although, Domain/OS in later versions allowed hardlinks to span filesystems by making a virtual symlink, that could be used inside a chroot() jail -- but then again, Domain/OS chroot was very broken in other ways.

But, if you really want to do chroot, you really need a separate postmaster running inside the jail as well, as an outside postmaster could be exploited with carefully crafted queries (as PostgreSQL is also a C program).  Thus, you need zero communications outside the chroot jail to make a chrooted OpenACS really work in a manner that is secure.

A jailed postmaster solves the /tmp issue.  It also solves the TCP/IP issue.

<blockquote> A non-chrooted AOLserver, on a typical PC, has access to a zillion
setuid programs which will often have well-known security holes, as
well as to other fun things like /tmp races.
</blockquote>

Then set it up so that the aolserver run user can't execute those programs.  It's not hard.  And, on a typical webserver, you shouldn't have that many suid programs.  If you do, you have other problems.

And, again, what about postmaster/postgres being exploitable through a connection that originates on a web page?  If they break you webserver, then can connect to your db server, they can break it too. And I happen to know of one security hole in PostgreSQL that has no fix as yet, involving a postgres superuser with no password.  There will be others found -- I am currently researching to see if the format string bugs that have crippled rpc.statd, wu-ftpd, and now LPRng can wreak havoc on PostgreSQL, too.

So, if you're going to be paranoid about AOLserver, best be paranoid about PostgreSQL, too.

But, in its current state, chroot()ing OpenACS is more trouble than its worth -- at least until the perl portion gets rewritten to run in tcl inside the server.  Then there's the fun with PostgreSQL in chroot -- which I don't think many people have done (not because it's hard, but because it's harder than running PostgreSQL securely outside chroot()).

I have been hacked once -- and it was BIND that done me in that time, not AOLserver.

But, again, if you want chroot(), and want it bad enough, by all means go for it.  I'll even help out as much as I can give time to -- but, at this point, I don't think it is worthwhile to make chrootable RPM's for OpenACS unless and until chrootable RPM's exist for both AOLserver AND PostgreSQL.

Collapse
11: Response to Anyone running chroot() installation? (response to 1)
Posted by Matthew Braithwaite on 10/03/00 10:04 AM
Shut my mouth ... the comments in aolserver-errors.pl include the following: 
# 1/15/2000 -- replaced all calls to 'tail` with seek() calls
# to improve portability. This also allows us to compile this script
# with perlcc to create a single binary that should work under
# a chroot'ed server.
And yea, verily, it works just fine. So that's one problem solved.