[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Fluxbox
From: |
Eric Ratliff |
Subject: |
Re: [Jailkit-users] Fluxbox |
Date: |
Fri, 8 Apr 2022 20:43:29 -0500 (CDT) |
Thanks Olivier, great points and important for me to consider... I didn't
realize running xorg could open some security issues.
I'll probably design this a different way w/ that in mind, but I'll admit, my
curiosity got the best of me and as mental exercise, I want to get this figured
out.
I tried issuing:
chmod u+s /opt/tech-jail/usr/bin/xinit
chmod u+s /opt/tech-jail/usr/bin/Xorg
chmod u+s /opt/tech-jail/usr/bin/xauth
chmod u+s /opt/tech-jail/usr/bin/xmodmap
The error I'm seeing when issuing startx is:
xf86OpenConsole: Cannot open virtual console 1 (Permission denied)
When I run a groups command, I see:
tech tty video
When I issue strace in startx as xinit is being called, I get this section... I
see a permission denied line when setpriority is called.
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[CHLD],
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f7453c18d60},
{sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x5587ada02250, sa_mask=[],
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=0x5587ada02250, sa_mask=[],
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x5587ada02250, sa_mask=[],
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x5587ada02250, sa_mask=[],
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=0x5587ada02250, sa_mask=[],
sa_flags=SA_RESTORER, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGALRM, {sa_handler=0x5587ada02260, sa_mask=[],
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigaction(SIGUSR1, {sa_handler=0x5587ada02260, sa_mask=[],
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f7453c18d60}, NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [USR1], [], 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7f7453978a10) = 52269
setpriority(PRIO_PROCESS, 52269, -1) = -1 EACCES (Permission denied)
wait4(52269, 0x5587adc04b60, WNOHANG, NULL) = 0
write(2, "\n", 1
) = 1
alarm(15) = 0
rt_sigsuspend([], 8_XSERVTransmkdir: Owner of /tmp/.X11-unix should be set to
root
X.Org X Server 1.20.11
X Protocol Version 11, Revision 0
Build Operating System: linux Debian
Current Operating System: Linux debian 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1
(2022-03-17) x86_64
Build Date: 16 December 2021 05:08:23PM
xorg-server 2:1.20.11-1+deb11u1 (https://www.debian.org/support)
Current version of pixman: 0.40.0
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/home/tech/.local/share/xorg/Xorg.0.log", Time: Fri Apr 8
20:41:30 2022
(==) Using default built-in configuration (30 lines)
(EE)
Fatal server error:
(EE) xf86OpenConsole: Cannot open virtual console 1 (Permission denied)
> On 04/08/2022 4:15 PM Olivier Sessink <olivier@bluefish.openoffice.nl> wrote:
>
>
> I'm not sure if it is possible to run a complete Xorg inside a jail.
> Never tried though. It runs as root, so for Xorg itself it can escape
> the chroot jail anyway. There will be some binaries (perhaps xinit
> itself?) that have the setuid root bit set. That is removed by jk_init
> and jk_cp because of the security implications. So if you really know
> what you are doing, you can use a regular cp to copy those binaries.
> That possibly solves your permission denied problem.
>
> Olivier
>
>
>
> On 07-04-2022 23:55, Eric Ratliff wrote:
> > Hi, I’d like to use jailkit to run Fluxbox. I’ve tried copying X, xorg,
> > xinit, startfluxbox, etc. over using jk_init and even manually using ldd to
> > find dependencies. But always got a permission denied error in the end when
> > I ran strace on xinit from within the startx script.
> >
> > Can anyone point me in the right direction?
> >
> > Thanks,
> > Eric
> >
> >
> > _______________________________________________
> > Jailkit-users mailing list
> > Jailkit-users@nongnu.org
> > https://lists.nongnu.org/mailman/listinfo/jailkit-users
>
>
> _______________________________________________
> Jailkit-users mailing list
> Jailkit-users@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/jailkit-users