Личный блог Suvan`a.

Работая и играя с Linux... И что из этого иногда получается.

Зависимости библиотек chroot.

Рубрика: Безопасность -> Укрепляем Linux
Метки: |
Вторник, 26 мая 2009 г.
Просмотров: 5025

Создать минимальную файловую систему изрядно просто, значительно сложнее выяснить, какие файлы обязательны. Прежде всего нужно вы­яснить зависимости библиотек. Ведь сервер может требовать наличия всего двух-трех библиотек, а каждой из них надо еще 1-2-3-4 библиотеки - без них они не будут работать, и, следовательно, не будет работать сервер.

     Выяснить, какие библиотеки надобны той или иной программе, нужно с по­мощью команды ldd. Посмотрим, что надо для нормальной работы про­граммы ls:


$ ldd /bin/ls

librt.so.l => /lib/librt.so.l (0x40029000) libc.so.6 => /bin/libc.so.6 (0x4003c000)

libpthread.so.O => /lib/libpthread.so.0 (0x40172000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

     Эти библиотеки можно скопировать в каталог /var/ftp/lib, чтобы программа Is запускалась в chroot-окружении. Такой процесс можно пов­торить для каждой программы.

Strace

     Библиотеки - это, конечно, не все файлы, которые надобны процессу для его нормальной работы. Чтобы определить все необходимые процессу файлы, можно употреблять программу strace. Она выводит все систем­ные вызовы, которыми пользуется процесс в своей работе. Нас интересу­ют только системные вызовы open, открывающие файлы - вот эти файлы и будут потребны процессу.

     Рассмотрим применение strace на примере /bin/id:

# strace /bin/id

execve("/bin/id", ["/bin/id"], [/* 43 vars */]) =0

uname({sys="Linux", node="localhost", ...}) =0

brk(0) = 0x804d000

old_mmap(NULL, 4096, PROT_READIPROT_WRITE, MAP_PRIVATE|MAP_

ANONYMOUS, -1, 0) = 0x40017000

open("/etc/Id.so.preload", 0_RDONLY) = -1 ENOENT (No such

file or directory)

open("/etc/Id.so.cache", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=47341, ...}) =0

old_mmap(NULL, 47341, PR0T__READ, MAP_PRIVATE, 3, 0)

0x40018000

close(3) = 0

open("/lib/tls/libc.so.6", 0_RDONLY) = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@

Z\1\000"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=1334740, ...}) =0

old_mmap(NULL, 1340908, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3,

0) = 0x40024000

old__mmap (0x40166000, 12288, PROT_READ|PROT_WRITE, MAP_

PRIVATE|MAP_FIXED, 3, 0x142000) = 0x40166000

old_mmap(0x40169000, 9708, PROT_READ|PROT_WRITE, MAP_

PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40169000

close(3) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_

ANONYMOUS, -1, 0) = 0x4016c000

set_thread_area({entry_number:-1 -> 6, base_addr:0x4016c2a0,

limit:1048575, seg_32bit:l, contents:0, read_exec_only:0,

limit_in_pages:1, seg_not_present:0, useable:1}) = 0

munmap(0x40018000, 47341) = 0

open ("/usr/share/locale/locale-archive", 0_RDONLY|0_LARGEFILE)

= -1 ENOENT (No such file or directory)

brk(0) = 0x804d000

brk(0x806e000) = 0x806e000

brk(O) = 0x806e000

open("/usr/share/locale/locale.alias", 0_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|064 4, st_size=2586, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ ANONYMOUS, -1, 0) = 0x40018000

read(3, "# Locale name alias data base.\n#"..., 4096) = 2586

read(3, "", 4096) = 0

close (3) = 0

munmap(0x40018000, 4096) = 0

open("/usr/share/locale/ru_RU/LC_IDENTIFICATION", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=336, ...}) =0

mmap2(NULL, 336, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000

close(3) = 0

open("/usr/share/locale/ru_RU/LC_MEASUREMENT", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=24, ...}) =0

mmap2(NULL, 24, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40019000

close(3) = 0

open("/usr/share/locale/ru_RU/LC_TELEPHONE", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=49, ...}) =0

mmap2(NULL, 49, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001a000

close (3) =0

open("/usr/share/locale/ru_RU/LC_ADDRESS", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|064 4, st_size=128, ...}) =0

mmap2(NULL, 128, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001b000

close (3) = 0

open("/usr/share/locale/ru_RU/LC_NAME", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=63, ...}) =0

mmap2(NULL, 63, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001c000

close (3) = 0

open("/usr/share/locale/ru_RU/LC_PAPER", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG10644, st_size=35, ...}) =0

mmap2(NULL, 35, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001d000

close (3) =0

open("/usr/share/locale/ru_RU/LC_MESSAGES", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) =0

close(3) = 0

open("/usr/share/locale/ru_RU/LC_MESSAGES/SYS_LC_MESSAGES", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) =0

mmap2(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001e000

close (3) = 0

open("/usr/share/locale/ru_RU/LC_MONETARY", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|064 4, st_size=295, ...}) =0

mmap2(NULL, 295, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4001f000

close (3) = 0

open("/usr/share/locale/ru_RU/LC_COLLATE", 0_RD0NLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=22391, ...}) =0

rranap2(NULL, 22391, PROT_READ, MAP_PRIVATE, 3, 0) = 0x4016d000

close(3) = 0

open("/usr/share/locale/ru_RU/LC_TIME", 0_RD0NLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=2368, ...}) =0

mmap2(NULL, 2368, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40173000

close(3) = 0

open("/usr/share/locale/ru_RU/LC_NUMERIC", 0_RD0NLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=55, ...}) = 0

mmap2(NULL, 55, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40174000

close (3) =0

open("/usr/share/locale/ru_RU/LC_CTYPE", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG10644, st_size=178916, ...}) =0

mmap2(NULL, 178916, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40175000

close (3) = 0

geteuid32 () =0

getuid32 () =0

getegid32 () =0

getgid32 () =0

fstat64(l, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) =0

ioctlfl, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig

icanon echo . . . }) =0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -

1, 0) = 0x401al000

socket(PF_UNIX, SOCK_STREAM, 0) =3

connect(3, {sa_family=AF_UNIX, path="/var/run/.nscd__socket"),

110) = -1 ENOENT (No such file or directory)

close (3) =0

open rVetc/nsswitch.conf", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=1744, ...}) =0

mmap2 (NULL, 4096, PROT_READ | PROT_WRITE, IXLAP_PRIVATE | MAP_

ANONYMOUS, -1, 0) = 0x401a2000

read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1744

read(3, "", 4096) = 0

close (3) = 0

munmap(0x401a2000, 4096) = 0

open("/etc/Id.so.cache", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=47341, ...}) =0

old_mmap(NULL, 47341, PR0T_READ, MAP_PRIVATE, 3, 0) = 0x401a2000

close (3) = 0

open("/lib/libnss_files.so.2", 0_RDONLY) = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\35\

0\000"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=40900, ...}) =0

old_mmap(NULL,44192,PROT_READIPROT_EXEC, MAP_PRIVATE,3, 0)= 0x401ae000

old_mmap(0x401b8000, 4096, PROT_READ|PROT_WRITE, MAP_

PRIVATE|MAP_FIXED, 3, 0x9000) = 0x40]b8000

close(3) = 0

munmap(0x401a2000, 47341) = 0

open ("/etc/passwd", 0___RDONLY) = 3

fcntl64(3, F_GETFD) = 0

fcntl64(3, F_SETFD, FD_CLOEXEC) = 0

fstat64(3, {st_mode=S_IFREG10644, st_size=812, ...}) =0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_

ANONYMOUS, -1, 0) = 0x401a2000

read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 812

close(3) = 0

munmap(0x401a2000, 4096) = 0

socket(PF_UNIX, SOCK_STREAM, 0) =3

connect(3, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"},

110) = -1 ENOENT (No such file or directory)

close (3) = 0

open("/etc/group", 0_RDONLY) = 3

fcntl64(3, F_GETFD) = 0

fcntl64(3, F_SETFD, FD_CLOEXEC) = 0

fstat64(3, {st_mode=S_IFREG|0644, st_size=401, ...}) =0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_

ANONYMOUS, -1, 0) = 0x401a2000

read(3, "root:x:0:\nbin:x:1:\ndaemon:x:2:\ns"..., 4096) = 401

close (3) = 0

munmap(0x401a2000, 4096) = 0

getgroups32 (0, NULL) = 1

getgroups32(1, [0]) =1

open("/usr/share/locale/ru_RU/LC_MESSAGES/coreutils.mo", 0_

RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/ru/LC_MESSAGES/coreutils.mo", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0 64 4, st_size=213968, ...}) =0

mmap2(NULL, 213968, PROT_READ, MAP_PRIVATE, 3, 0) = 0x401b9000

close (3) =0

open("/usr/lib/gconv/gconv-modules.cache", 0_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|064 4, st_size=0, ...}) =0

close (3) =0

open("/usr/lib/gconv/gconv-modules", 0_RDONLY) = 3

f,stat64(3, {st_mode=S_IFREG|0644, st_size=46476, ...}) =0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_

ANONYMOUS, -1, 0) = 0x401ee000

read(3, "# GNU libc iconv configuration.\n"..., 4096) = 4096

read(3, ".Bl.002//\nalias\tJS//\t\t\tJUS_I.Bl."..., 4096) =4096

read(3, "859-3\tl\nmodule\tINTERNAL\t\tISO-885"... , 4096) = 4096

read(3, "9-14//\nalias\tLATIN8//\t\tISO-8859-"..., 4096) =4096

read(3, "CSEBCDICES//\t\tEBCDIC-ES//\nalias\t"..., 4096) =4096

read(3, "IBM284//\nalias\tEBCDIC-CP-ES//\t\tI" . . ., 4096) =4096

read(3, "ias\t864//\t\t\tIBM864//\nalias\tCSIBM"..., 4096) =4096

read(3, "\tIBM937\t\tl\nmodule\tINTERNAL\t\tIBM9"..., 4096) = 4096

read(3, "UC-JP//\nmodule\tEUC-JP//\t\tINTERNA"..., 4096) =4096

read{3, "143IECP271//\tIEC_P27-l//\nalias\tI"..., 4096) =4096

read(3, "\nmodule\tINTERNAL\t\tISO_10367-BOX/"..., 4096) =4096

read(3, "L\t\tTCVN5712-l//\t\tTCVN5712-l\tl\n\n#"..., 4096) = 1420

read(3, "", 4096) = 0

close(3) =0

munmap(0x401ee000, 4096) = 0

open("/etc/group", OJRDONLY) = 3

fcntl64(3, F_GETFD) = 0

fcntl64(3, FJ3ETFD, FD_CLOEXEC) = 0

fstat64(3, {st_mode=S_IFREG|0644, st__size=401, ...}) =0

mmap2(NULL, 4096, PROTJREAD|PROT_WRITE, MAPJPRIVATE|MAP_

ANONYMOUS, -1, 0) = 0x401ee000

read(3, "root:x:0:\nbin:x:1:\ndaemon:x:2:\ns"..., 4096) = 401

close(3) = 0

munmap(0x401ee000, 4096) = 0

write(1, "uid=0(root) gid=0(root) \307\322\325\320\320\331=0"

. . ., 39) =39

munmap(0x401al000, 4096) = 0

exit_group(0) = ?

     Попробуй тут найди все open! Сделаем так: запишем вывод strace в определенный файл, а потом будем его анализировать:

$ strace -о strace_out /bin/id

$ cat strace_out I grep open

openP/etc/ld. so. preload", 0_RDONLY) = -1 ENOENT (No such

file or directory)

open("/etc/Id.so.cache", 0_RDONLY) = 3

open("/lib/tls/libc.so.6", 0_RDONLY) = 3

open("/usr/share/locale/locale-archive", * 0_RDONLY|0_

LARGEFILE) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/locale.alias", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_IDENTIFICATION", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_MEASUREMENT", 0_RDONLY) = 3

openP/usr/share/locale/ru_RU/LC_TELEPHONE", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_ADDRESS", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_NAME", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_PAPER", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_MESSAGES", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_MESSAGES/SYS_LC_MESSAGES",0_RDONLY)= 3

open("/usr/share/locale/ru_RU/LC_MONETARY", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_COLLATE", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_TIME", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_NUMERIC", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_CTYPE", 0_RDONLY) = 3

open("/etc/nsswitch.conf", 0_RDONLY) = 3

open("/etc/Id.so.cache", 0_RDONLY) = 3

open("/lib/libnss_files.so.2", 0_RDONLY) = 3

open("/etc/passwd", 0_RDONLY) = 3

open("/etc/group", 0_RDONLY) = 3

open("/usr/share/locale/ru_RU/LC_MESSAGES/coreutils.mo", 0_

RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/ru/LC_MESSAGES/coreutils.mo", 0_RDONLY) = 3

open("/usr/lib/gconv/gconv-modules.cache", 0_RDONLY) = 3

open("/usr/lib/gconv/gconv-modules", 0_RDONLY) = 3

open("/etc/group", 0_RDONLY) = 3

     Чтобы программа id работала в chroot-окружении, нужно скопировать в это окружение все файлы, используемые этой программой (в этом случае все, за исключением тех, которые не найдены).