FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-01-2010, 04:20 PM
Dave Miller
 
Default /bin/su wont work inside a chroot?

Jason Pyeron <jpyeron@...> writes:

>
> On centos 4 (i386 chroot on an x86_64) it just prompts me for a password.
>
> Any suggesstion on where to start looking?
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> - -
> - Jason Pyeron PD Inc. http://www.pdinc.us -
> - Principal Consultant 10 West 24th Street #100 -
> - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
> - -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00.
>

Just as a guess, you need to have an appropriate sudoers file in the correct
location relative to the chrooted root. Pulling some information from one of
your follow up posts, that would be:

/var/mnt/192.168.1.52/etc/sudoers

Once you chroot, programs look for files in their normal locations but relative
to whatever the new root is.

Cheers,
Dave


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 04:29 PM
JohnS
 
Default /bin/su wont work inside a chroot?

On Sun, 2010-08-01 at 16:20 +0000, Dave Miller wrote:
> Jason Pyeron <jpyeron@...> writes:
>
> >
> > On centos 4 (i386 chroot on an x86_64) it just prompts me for a password.
> >
> > Any suggesstion on where to start looking?
> >
> > --
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > - -
> > - Jason Pyeron PD Inc. http://www.pdinc.us -
> > - Principal Consultant 10 West 24th Street #100 -
> > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
> > - -
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > This message is copyright PD Inc, subject to license 20080407P00.
> >
>
> Just as a guess, you need to have an appropriate sudoers file in the correct
> location relative to the chrooted root. Pulling some information from one of
> your follow up posts, that would be:
>
> /var/mnt/192.168.1.52/etc/sudoers
>
> Once you chroot, programs look for files in their normal locations but relative
> to whatever the new root is.
>
> Cheers,
> Dave
---
Or be dirty and symlink it out to the main root /etc/sudoers...of which
may create your security problem in present.....tense

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 05:22 PM
"Jason Pyeron"
 
Default /bin/su wont work inside a chroot?

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of JohnS
> Sent: Sunday, August 01, 2010 12:30
> To: CentOS mailing list
> Subject: Re: [CentOS] /bin/su wont work inside a chroot?
>
>
> On Sun, 2010-08-01 at 16:20 +0000, Dave Miller wrote:
> > Jason Pyeron <jpyeron@...> writes:
> >
> > >
> > > On centos 4 (i386 chroot on an x86_64) it just prompts me
> for a password.
> > >
> > > Any suggesstion on where to start looking?
> > >
> > > --
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > - -
> > > - Jason Pyeron PD Inc. http://www.pdinc.us -
> > > - Principal Consultant 10 West 24th Street #100 -
> > > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
> > > - -
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > This message is copyright PD Inc, subject to license 20080407P00.
> > >
> >
> > Just as a guess, you need to have an appropriate sudoers
> file in the

Curious, I am trying to use su not sudo...

> > correct location relative to the chrooted root. Pulling some
> > information from one of your follow up posts, that would be:
> >
> > /var/mnt/192.168.1.52/etc/sudoers
> >
> > Once you chroot, programs look for files in their normal
> locations but
> > relative to whatever the new root is.
> >
> > Cheers,
> > Dave
> ---
> Or be dirty and symlink it out to the main root
> /etc/sudoers...of which may create your security problem in
> present.....tense

[root@devserver21 etc]# cat sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

[root@devserver21 etc]# sudo su -l apache
failed to get default context
[root@devserver21 etc]# sudo su apache
failed to get default context
[root@devserver21 etc]# sudo
[root@devserver21 etc]#



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 06:55 PM
JohnS
 
Default /bin/su wont work inside a chroot?

On Sun, 2010-08-01 at 13:22 -0400, Jason Pyeron wrote:

> [root@devserver21 etc]# sudo su -l apache
> failed to get default context
> [root@devserver21 etc]# sudo su apache
> failed to get default context
> [root@devserver21 etc]# sudo
> [root@devserver21 etc]#
-----
Well how are you creating the chroot? and why do you want to build an
rpm as apache? and is this over nfs? If so it will not work as you would
think.

Try creating the chroot in /tmpfs?

Heres what I get
[root@ethies ~]# sudo su -l apache
This account is currently not available.

[root@ethies ~]# su apache
This account is currently not available.

Looks like it is meant or not in sudoers....to be like this or it is a
bug. SELinux is Active also. Maybe someone else can confirm this? I
do not think some service accounts allow this but I know postgres does.

[root@ethies ~]# su postgres
bash-3.2$



John


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 06:58 PM
Alexander Dalloz
 
Default /bin/su wont work inside a chroot?

Am 01.08.2010 20:55, schrieb JohnS:
>
> On Sun, 2010-08-01 at 13:22 -0400, Jason Pyeron wrote:
>
>> [root@devserver21 etc]# sudo su -l apache
>> failed to get default context
>> [root@devserver21 etc]# sudo su apache
>> failed to get default context
>> [root@devserver21 etc]# sudo
>> [root@devserver21 etc]#
> -----
> Well how are you creating the chroot? and why do you want to build an
> rpm as apache? and is this over nfs? If so it will not work as you would
> think.
>
> Try creating the chroot in /tmpfs?
>
> Heres what I get
> [root@ethies ~]# sudo su -l apache
> This account is currently not available.
>
> [root@ethies ~]# su apache
> This account is currently not available.

apache has no login shell.

getent passwd apache

> Looks like it is meant or not in sudoers....to be like this or it is a
> bug. SELinux is Active also. Maybe someone else can confirm this? I
> do not think some service accounts allow this but I know postgres does.
>
> [root@ethies ~]# su postgres
> bash-3.2$

postgres has a login shell.

getent passwd postgres

> John

Alexander

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 07:10 PM
Les Mikesell
 
Default /bin/su wont work inside a chroot?

Jason Pyeron wrote:
>
> [root@devserver21 etc]# sudo su -l apache
> failed to get default context
> [root@devserver21 etc]# sudo su apache
> failed to get default context
> [root@devserver21 etc]# sudo
> [root@devserver21 etc]#
>

References to 'context' would have something to do with SELinux, not normal
permissions.

--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 07:13 PM
JohnS
 
Default /bin/su wont work inside a chroot?

On Sun, 2010-08-01 at 20:58 +0200, Alexander Dalloz wrote:
> Am 01.08.2010 20:55, schrieb JohnS:

> >
> > Heres what I get
> > [root@ethies ~]# sudo su -l apache
> > This account is currently not available.
> >
> > [root@ethies ~]# su apache
> > This account is currently not available.
>
> apache has no login shell.

Right :-)

> getent passwd apache
>
> > Looks like it is meant or not in sudoers....to be like this or it is a
> > bug. SELinux is Active also. Maybe someone else can confirm this? I
> > do not think some service accounts allow this but I know postgres does.
> >
> > [root@ethies ~]# su postgres
> > bash-3.2$
>
> postgres has a login shell.
>
> getent passwd postgres
>
> > John
>
> Alexander
---
Alex would be right! I went to the kitchen and thought about it and
come up with the same thing No /bin/bash. :-)


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 07:28 PM
JohnS
 
Default /bin/su wont work inside a chroot?

On Sun, 2010-08-01 at 14:10 -0500, Les Mikesell wrote:
> Jason Pyeron wrote:
> >
> > [root@devserver21 etc]# sudo su -l apache
> > failed to get default context
> > [root@devserver21 etc]# sudo su apache
> > failed to get default context
> > [root@devserver21 etc]# sudo
> > [root@devserver21 etc]#
> >
>
> References to 'context' would have something to do with SELinux, not normal
> permissions.
---
That's is also because his echoed "0" context is not active yet. It
requires a reboot every time I have done it. But the other way around
it does not.

No matter how hard you try in a default EL4 or 5 instance you will never
get logged into an apache account. Root or Not... Unless you change
the login shell..or exploit it...

apache = /sbin/nologin
postgres = /sbin/bash
#################################################
Jason,

Nasty things happen when you build rpms like that.
See www.owlriver.com , Russ has an article there about it [1].

[1] http://www.owlriver.com/tips/non-root/


John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 08:00 PM
"Jason Pyeron"
 
Default /bin/su wont work inside a chroot?

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of JohnS
> Sent: Sunday, August 01, 2010 15:28
> To: CentOS mailing list
> Subject: Re: [CentOS] /bin/su wont work inside a chroot?
>
>
> On Sun, 2010-08-01 at 14:10 -0500, Les Mikesell wrote:
> > Jason Pyeron wrote:
> > >
> > > [root@devserver21 etc]# sudo su -l apache failed to get default
> > > context
> > > [root@devserver21 etc]# sudo su apache failed to get
> default context
> > > [root@devserver21 etc]# sudo
> > > [root@devserver21 etc]#
> > >
> >
> > References to 'context' would have something to do with
> SELinux, not normal
> > permissions.
> ---
> That's is also because his echoed "0" context is not active yet. It
> requires a reboot every time I have done it. But the other way around
> it does not.
>
> No matter how hard you try in a default EL4 or 5 instance you
> will never
> get logged into an apache account. Root or Not... Unless you change
> the login shell..or exploit it...

Forgot to tell you in the chroot I did change the login shell for apache to
/bin/bash

>
> apache = /sbin/nologin
> postgres = /sbin/bash
> #################################################
> Jason,
>
> Nasty things happen when you build rpms like that.
> See www.owlriver.com , Russ has an article there about it [1].

Agreed. I am hacking together a solution to put in to our mockbuilder. Needed to
have a working subversion 1.6.x in our yum repo by Monday morning (client
deliverable). I have goten everything to work until subversions make test
launches apache as root.... It just produced the 1st mod_dav_svn-1.6.12 rpm as I
was typing this email.

Give me ten minutes I will publish the src.rpms...

>
> [1] http://www.owlriver.com/tips/non-root/
>
>
> John
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>




--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-01-2010, 08:18 PM
JohnS
 
Default /bin/su wont work inside a chroot?

On Sun, 2010-08-01 at 16:00 -0400, Jason Pyeron wrote:

> > Nasty things happen when you build rpms like that.
> > See www.owlriver.com , Russ has an article there about it [1].
>
> Agreed. I am hacking together a solution to put in to our mockbuilder. Needed to
> have a working subversion 1.6.x in our yum repo by Monday morning (client
> deliverable). I have goten everything to work until subversions make test
> launches apache as root.... It just produced the 1st mod_dav_svn-1.6.12 rpm as I
> was typing this email.
>
> Give me ten minutes I will publish the src.rpms...
---
I would be very skeptical as launching apache as root. Would like to
see that specfile though, you can su in the specfile it self to switch
to another user or daemon. I have an rpm that does just that.

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org