Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sample use cases on Ubuntu 16.04 (x86-64) #26

Closed
ebadi opened this issue Jun 14, 2017 · 6 comments
Closed

Sample use cases on Ubuntu 16.04 (x86-64) #26

ebadi opened this issue Jun 14, 2017 · 6 comments

Comments

@ebadi
Copy link
Contributor

ebadi commented Jun 14, 2017

The sample use cases are not working on my Ubuntu 16.04 (x86-64).

./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
[2017-06-14T11:25:15+0200] Mode: LISTEN_TCP
[2017-06-14T11:25:15+0200] Jail parameters: hostname:'NSJAIL', chroot:'/chroot/', process:'/bin/sh', bind:[::]:9000, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false
[2017-06-14T11:25:15+0200] Mount point: src:'/chroot/' dst:'/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:true
[2017-06-14T11:25:15+0200] Mount point: src:'[NULL]' dst:'/proc' type:'proc' flags:MS_RDONLY|0 options:'' isDir:true
[2017-06-14T11:25:15+0200] Uid map: inside_uid:99999 outside_uid:1000 count:1 newuidmap:false
[2017-06-14T11:25:15+0200] Gid map: inside_gid:99999 outside_gid:1000 count:1 newgidmap:false
[2017-06-14T11:25:15+0200] Listening on [::]:9000
[2017-06-14T11:25:20+0200] New connection from: [::ffff:127.0.0.1]:40942 on: [::ffff:127.0.0.1]:9000
[2017-06-14T11:25:20+0200] Executing '/bin/sh' for '[::ffff:127.0.0.1]:40942'
[2017-06-14T11:25:20+0200] [E][1] subprocNewProc():180 execve('/bin/sh') failed: No such file or directory
[2017-06-14T11:25:20+0200] PID: 30539 exited with status: 1, (PIDs left: 0)

It works fine when I change it to:

./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999  -R /bin/ -R /lib -R /lib64/  -- /bin/sh -i
[2017-06-14T11:29:49+0200] Mode: LISTEN_TCP
[2017-06-14T11:29:49+0200] Jail parameters: hostname:'NSJAIL', chroot:'/chroot/', process:'/bin/sh', bind:[::]:9000, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false
[2017-06-14T11:29:49+0200] Mount point: src:'/chroot/' dst:'/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:true
[2017-06-14T11:29:49+0200] Mount point: src:'[NULL]' dst:'/proc' type:'proc' flags:MS_RDONLY|0 options:'' isDir:true
[2017-06-14T11:29:49+0200] Mount point: src:'/bin/' dst:'/bin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:true
[2017-06-14T11:29:49+0200] Mount point: src:'/lib' dst:'/lib' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:true
[2017-06-14T11:29:49+0200] Mount point: src:'/lib64/' dst:'/lib64/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:true
[2017-06-14T11:29:49+0200] Uid map: inside_uid:99999 outside_uid:1000 count:1 newuidmap:false
[2017-06-14T11:29:49+0200] Gid map: inside_gid:99999 outside_gid:1000 count:1 newgidmap:false
[2017-06-14T11:29:49+0200] Listening on [::]:9000
[2017-06-14T11:29:57+0200] New connection from: [::ffff:127.0.0.1]:40972 on: [::ffff:127.0.0.1]:9000
[2017-06-14T11:29:57+0200] Executing '/bin/sh' for '[::ffff:127.0.0.1]:40972'

I assume access to /bin to run sh executable file is needed and /lib* library files are later needed for successful execution.
@robertswiecki
Copy link
Collaborator

robertswiecki commented Jun 14, 2017
edited
Loading

So, --chroot is not required, it merely says

Bind /chroot as the new /

This should work

$ ./nsjail -Ml --port 9000 --user 99999 --group 99999  -R /bin/ -R /lib -R /lib64/  -- /bin/sh -i

@robertswiecki
Copy link
Collaborator

robertswiecki commented Jun 14, 2017
edited
Loading

Also, ldd is your friend when assessing which directories to include

$ ldd /bin/sh
	linux-vdso.so.1 =>  (0x00007ffc20bdb000)
	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fc2d9ff4000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc2d9df0000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc2d9a27000)
	/lib64/ld-linux-x86-64.so.2 (0x000056244eb4e000)

@ebadi
Copy link
Contributor Author

ebadi commented Jun 14, 2017
edited
Loading

Thanks @robertswiecki, maybe it is meant to be like this(?):

./nsjail -Ml --port 9000 --user 99999 --group 99999  --chroot /   -- /bin/sh -i

Anyway, getting an error message on the first try is probably not desirable.
I also suggest to add a short build instruction with the list of needed packages.
I found Dockerfile helpful.

@robertswiecki
Copy link
Collaborator

Ah.. you mean the README.md example? Let me check...

Ok... the assumption here is that you have a valid file-system inside /chroot - that you can install e.g. via debootstrap

@ebadi
Copy link
Contributor Author

ebadi commented Jun 16, 2017

Just started using nsjail to sandbox some python scripts and it was disappointing to see strange errors for the basic use cases in README.md. Now it is clear. :) Thanks.

  • Suggestion: it is time saving and reassuring if basic use cases are well explained and straightforward to test.

@ebadi ebadi closed this as completed Jun 16, 2017
@robertswiecki
Copy link
Collaborator

Thanks.

I've done some README.md changes in ed2bf6e - Hope this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ebadi @robertswiecki