[[wiki:experiences/igraltist|Back to igraltist's experiences]]\\
====== run-jail ======
run-jail is a python-script.
Two files are nessesary to using it.

   * [[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/run-jail.py|run-jail.py]]
   * [[http://svn.kasten-edv.de/svn/rsbac/trunk/lib/jail_configparser.py|jail_configparser.py]]


===== syntax for configfile =====
  ; example daemon
  ; date 0.0.0000
  ; testet by 
  ""
  ""
  ()
  ()
  ()
  ()


















==== explanation the syntax ====
The jailconfigurationfile is seperated in 6 categories.
  This two "" lines are 
  1."" chroot path
  2."0.0.0.0" IP addresss


**Explanation to point 2.**
  Is possible to set "auto", "interface", "ip-address" or ""
  "auto":
    If auto is set then its looks with /sbin/route for default UG and take this interface
    and from this interface its take the ip-address. 
    When not found a default UG, then its set the ip-address from localhost.
  "interface":
    If interface is set, then its set the ip-address from /sbin/ifconfig interface.
  "ip-address":
    If ip-address is set, its valid the ip-address and set it. 
    If the ip-address is not associated with an interface, then rsbac-jail throws an exception.
  "":
    If "" empty string is given is set it to 0.0.0.0 and this means ignore IP.


  This categories () stand for
  3.() => jail_flags
  4.() => cap_max
  5.() => scd GET_STATUS_DATA
  6.() => scd MODIFY_SYSTEM_DATA

  The values for this categories from points 3-6. are must seperate through a newline!
  Example:
<code bash>
 (allow-all-net-family
  allow-external-ipc
  allow-dev-read
  auto-adjust-ip-address)

 (allow-all-net-family
  
   allow-external-ipc
  allow-dev-read
  
  auto-adjust-ip-address
 )  
  
 (
  allow-all-net-family
       allow-external-ipc
     allow-dev-read
           auto-adjust-ip-address
 )
</code>





===== prepear to use run-jail =====
Three important necessary preparations should do.
  - Configure the Jail support.
  - Include RSBAC Debug support ((RSBAC -> General Options -> RSBAC-Debugging))
  - Enable debugging Jail while runtime ((echo debug_adf_jail 1 > /proc/rsbac-info/debug))

I have placed all configurationfiles under '/etc/rsbac/jail/'. I took it from other old adamantix-system.  

For simple remebering I do
<code bash>
ln -s /path_to/run-jail.py to /bin/run-jail
</code>

To get away this message, this is printed more times, and is not really needed, do:
<code bash>
<6>0000000131|rsbac_adf_request(): request GET_STATUS_DATA, pid 1586, ppid 1585, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 1585, attr none, value none, result NOT_GRANTED by JAIL
</code>

   switch_adf_log GET_STATUS_DATA PROCESS 0


===== Usage run-jail =====
<code bash>
  usage: run-jail jail-config-name cmd ...
</code>




===== example for init scripts =====
<code bash>
  run-jail postfix /usr/sbin/postfix start

  run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd \
		-- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}
</code>

===== example for pdnsd =====
pdnsd-jail-config
<code bash>
;
; RSBAC JAIL definition for pdnsd
; 20081407
;
; Tested by:
; Jens Kasten (igraltist) on gentoo
;

""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-inet-raw
 allow-ipc-syslog
 allow-ipc-parent)
(setgid
 setuid
 net-bind-service
 net-raw
 sys-ptrace
 sys-resource)
(sysctl)
(rlimit
 priority) 
</code>
Restart the service.
<code bash>
/etc/init.d/pdnsd restart

This is execute now:
rsbac_jail  -d -D -r -y -P -C  SETGID SETUID NET_BIND_SERVICE NET_RAW SYS_PTRACE SYS_RESOURCE -G  sysctl -M  rlimit priority start-stop-daemon  --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid  
</code>




===== explanation howto get values for the jail-config =====
As security user do a:
<code bash>
cat /proc/rsbac-info/rmsg
</code>

See on [[wiki:experiences/igraltist/jail_explain_message|jail-explain-message]].

===== Jail-Configurations files =====
This policies are tested and working so far.

  * [[wiki:experiences/igraltist/jail_syslogd|Setup for syslogd]]
  * [[wiki:experiences/igraltist/jail_cron|Setup for cron]]
  * [[wiki:experiences/igraltist/jail_apache2|Setup for apache2]]
  * [[wiki:experiences/igraltist/jail_shorewall|Setup for shorewall]]
  * [[wiki:experiences/igraltist/jail_cups|Setup for cups]]
  * [[wiki:experiences/igraltist/jail_ntpd|Setup for ntpd]]
  * [[wiki:experiences/igraltist/jail_vixie-cron|Setup for vixie-cron]]
  * [[wiki:experiences/igraltist/jail_syslog-ng|Setup for syslog-ng]]  
  * [[wiki:experiences/igraltist/jail_pdnsd|Setup for pdnsd]]
  * [[wiki:experiences/igraltist/jail_samba|Setup for samba]]
  * [[wiki:experiences/igraltist/jail_postfix|Setup for postfix]]
  * [[wiki:experiences/igraltist/jail_powernowd|Setup for powernowd]]
  * [[wiki:experiences/igraltist/jail_dmeventd|Setup for dmeventd]]
  * [[wiki:experiences/igraltist/jail_portmap|Setup for portmap]]
  * [[wiki:experiences/igraltist/jail_squid|Setup for squid]]
  * [[wiki:experiences/igraltist/jail_ping|Setup for ping]]
  * [[wiki:experiences/igraltist/jail_wget|Setup for wget]]
  * [[wiki:experiences/igraltist/jail_rsync|Setup for rsync]]





\\
\\





====== Jail-Wrapper ======
If you want for example 'ping' or 'wget' jailed too, then simply do
<code bash>
mkdir /a_bin /a_sbin
</code>
and modify the '/etc/profile'.
<code bash>
--- profile_org	2008-07-14 06:00:39.000000000 +0200
+++ profile	2008-07-14 06:11:30.000000000 +0200
@@ -22,9 +22,9 @@
 # This way the evaluation can be short-circuited and calling whoami is
 # avoided.
 if [ "$EUID" = "0" ] || [ "$USER" = "root" ] ; then
-	PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
+	PATH="/a_bin:/a_sbin:/usr/local/kvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
 else
-	PATH="/usr/local/bin:/usr/bin:/bin:${PATH}"
+	PATH="/a_bin:/usr/local/bin:/usr/bin:/abin:${PATH}"
 fi
 export PATH
 unset ROOTPATH
</code>
For updating the Path do: 
<code bash>
source /etc/profile
</code>

The linux searchpathorder is in ABC order.
So when a directory starts with 'a_', this will be always the first for look request.
I take the example 'ping'.

Simply create a file '/a_bin/jail-wrapper' with this content.
<code bash>
#!/bin/bash
dir="/a_bin/"
PATH=/bin:/usr/bin:/usr/local/bin
name=$(echo $0 | sed -e 's/\(\/a_bin\/\)\([a-z,A-Z]\+$\)/\2/')
run-jail ${name} ${name} ${@}
</code>
<code_bash>
chmod +x /a_bin/jail-wrapper
cd /a_bin
ln -s  jail-wrapper ping
</code>

For '/a_sbin/jail-wrapper' do the same procedur but extend the PATH
and set dir="/a_sbin"
<code bash>
PATH=/bin:/sbin:/usr/bin:/usr/sbin/:/usr/local/bin:/usr/local/sbin
</code>

Thats all. Now in the directory '/etc/rsbac/jail', have to the ping-jailconfig exists. 

When this wrapper should not work anymore then simple undo the '/etc/profile' or move the '/a_bin' to '/z_bin'.
Then the original /bin/ping would be executed, without rsbac_jail again.

[[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\