Re: [Jailkit-users] Fluxbox

jailkit-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] Fluxbox

From:	Eric Ratliff
Subject:	Re: [Jailkit-users] Fluxbox
Date:	Fri, 8 Apr 2022 20:43:29 -0500 (CDT)

Thanks Olivier, great points and important for me to consider... I didn't 
realize running xorg could open some security issues.

I'll probably design this a different way w/ that in mind, but I'll admit, my 
curiosity got the best of me and as mental exercise, I want to get this figured 
out.

I tried issuing:
chmod u+s /opt/tech-jail/usr/bin/xinit
chmod u+s /opt/tech-jail/usr/bin/Xorg
chmod u+s /opt/tech-jail/usr/bin/xauth
chmod u+s /opt/tech-jail/usr/bin/xmodmap

The error I'm seeing when issuing startx is:
xf86OpenConsole: Cannot open virtual console 1 (Permission denied)

When I run a groups command, I see:
tech tty video


When I issue strace in startx as xinit is being called, I get this section... I 
see a permission denied line when setpriority is called.


rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[CHLD], 
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f7453c18d60}, 
{sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x5587ada02250, sa_mask=[], 
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=0x5587ada02250, sa_mask=[], 
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x5587ada02250, sa_mask=[], 
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x5587ada02250, sa_mask=[], 
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=0x5587ada02250, sa_mask=[], 
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGALRM, {sa_handler=0x5587ada02260, sa_mask=[], 
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGUSR1, {sa_handler=0x5587ada02260, sa_mask=[], 
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [USR1], [], 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0x7f7453978a10) = 52269
setpriority(PRIO_PROCESS, 52269, -1)    = -1 EACCES (Permission denied)
wait4(52269, 0x5587adc04b60, WNOHANG, NULL) = 0
write(2, "\n", 1
)                       = 1
alarm(15)                               = 0
rt_sigsuspend([], 8_XSERVTransmkdir: Owner of /tmp/.X11-unix should be set to 
root

X.Org X Server 1.20.11
X Protocol Version 11, Revision 0
Build Operating System: linux Debian
Current Operating System: Linux debian 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 
(2022-03-17) x86_64
Build Date: 16 December 2021  05:08:23PM
xorg-server 2:1.20.11-1+deb11u1 (https://www.debian.org/support)
Current version of pixman: 0.40.0
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/home/tech/.local/share/xorg/Xorg.0.log", Time: Fri Apr  8 
20:41:30 2022
(==) Using default built-in configuration (30 lines)
(EE)
Fatal server error:
(EE) xf86OpenConsole: Cannot open virtual console 1 (Permission denied)












> On 04/08/2022 4:15 PM Olivier Sessink <olivier@bluefish.openoffice.nl> wrote:
> 
>  
> I'm not sure if it is possible to run a complete Xorg inside a jail. 
> Never tried though. It runs as root, so for Xorg itself it can escape 
> the chroot jail anyway. There will be some binaries (perhaps xinit 
> itself?) that have the setuid root bit set. That is removed by jk_init 
> and jk_cp because of the security implications. So if you really know 
> what you are doing, you can use a regular cp to copy those binaries. 
> That possibly solves your permission denied problem.
> 
> Olivier
> 
> 
> 
> On 07-04-2022 23:55, Eric Ratliff wrote:
> > Hi, I’d like to use jailkit to run Fluxbox. I’ve tried copying X, xorg, 
> > xinit, startfluxbox, etc. over using jk_init and even manually using ldd to 
> > find dependencies. But always got a permission denied error in the end when 
> > I ran strace on xinit from within the startx script.
> >
> > Can anyone point me in the right direction?
> >
> > Thanks,
> > Eric
> >
> >
> > _______________________________________________
> > Jailkit-users mailing list
> > Jailkit-users@nongnu.org
> > https://lists.nongnu.org/mailman/listinfo/jailkit-users
> 
> 
> _______________________________________________
> Jailkit-users mailing list
> Jailkit-users@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/jailkit-users

[Prev in Thread]

Current Thread

[Next in Thread]

[Jailkit-users] Fluxbox, Eric Ratliff, 2022/04/07
- Re: [Jailkit-users] Fluxbox, Olivier Sessink, 2022/04/08
  - Re: [Jailkit-users] Fluxbox, Eric Ratliff <=
    - Re: [Jailkit-users] Fluxbox, Olivier Sessink, 2022/04/12

Prev by Date: Re: [Jailkit-users] Fluxbox
Next by Date: Re: [Jailkit-users] Fluxbox
Previous by thread: Re: [Jailkit-users] Fluxbox
Next by thread: Re: [Jailkit-users] Fluxbox
Index(es):
- Date
- Thread