Here’s the link for the official TODO list. It’s using a Wekan board and hosted on the sandstorm platform : https://nuage.xroutine.net/shared/a2O5DxqQ4BMQT9Cm_P_PYSGLHDszUBPknscCIR9KOCh
JailTools - create and manage jails (containers)
What is JailTools?
It’s a tool to isolate programs from your host system. So called jails contain a directory structure similar to a normal OS (like it contains /home, /etc, /dev, etc) and it is possible to control internet access for the programs inside the jail (you can easily remove internet access from jails).
What is JailTools in technical terms?
It provides a slim OS-level virtualization solution for the GNU/linux operating system. It uses linux’s chroot and namespace features.
Purpose
As is, chroots are a pain to setup manually, you have to create a basic directory structure and copy over the dependencies of the program you want to use (especially if it’s a dynamically linked program/library).
JailTools makes that process easy by automating most of the work and then provides means to interface with jails.
It has tools for copying applications and libraries to the jail, so as to also copy the shared objects they depend on to run correctly.
JailTools creates a minimal filesystem (about 6MB in size) which is meant to include only the bare minimum for applications or libraries to do their job. This way, in case the service is compromized, the adversary will only get access to that filesystem rather than the host system directly.
Compilation and Installation
JailTools relies on busybox and to compile busybox the slim musl libc library is used. Busybox is compiled statically to limit to a maximum the amount of shared objects required for bare jails.
Quick steps :
-
compilation requirements: git, gcc, GNU make (and GNU autotools as some of the extra dependencies rely on them)
-
get the source code with
git clone https://github.com/nniro/jailTools -
alternatively, you can recursively get all the dependencies and extra tools by doing :
git clone --recurse-submodules https://github.com/nniro/jailTools -
makewill download, configure and compile musl and busybox. -
install the super script with install.sh
Elaborated steps :
Step 1:
Get jailTools from the git repository:
git clone https://github.com/nniro/jailTools
This will download the repository to the directory jailTools.
Step 2:
The project relies on musl (libc) and busybox. The latter provides the underlying filesystem shell and commands inside each jail. Both of these dependencies are automatically cloned by the Makefile process. We don’t use already installed versions because we want statically linked versions of both of these to save space.
To compile, just run make.
This will compile musl and then use it to statically link busybox.
Step 3:
The installation script install.sh will copy the super script jt to
a location of your choice. It only installs the super script, not the whole jailTools
directory.
If you want to use jailTools for your user only, just clone the git repository, compile and do this:
sh ./install.sh ~/bin
This will install the super script inside your user’s bin directory. Make sure that you have ~/bin in your "PATH" environment variable.
System wide installation:
In case you want to make the project available for all users on the system. These are the steps to do so.
|
Important
|
No longer true, see next "Important" block --- It is currently not possible to start jails or access them in any matter that does not require super user privileges. This means that users would need root access in order to fully use jails created with jailTools. The only way an unprivileged user could access a started jail is through network services like telnet or ssh. |
|
Important
|
It is now possible to run jails as an unprivileged user when the linux user namespace is available. Note however that not all features work in that case. It is also possible to run a new shell from an already running jail even as an unprivileged user. This is actually the recommended way : First start a jail as a daemon or just with start (this will setup superuser only features for the jail) with a privileged user and then you can access the jail with an unprivileged user with the shell command to start your applications. |
just do :
sudo sh install.sh /usr/local/bin
Usage
Here is a list of available commands when calling jt:
-
new
creates a new jail directory
-
cp
copy files or directories (with their shared object dependencies) into the jail
-
start, stop, daemon, shell All take the <path> argument
these are per jail specific commands. You can provide these with a single argument which is the path of the jail to run this command.
Creating a new jail
Synopsis :
jt new <path and name> <optional jail's main username> <optional jail's main group>
Both internal username and group are used inside the jail itself, and will be added to /etc/\{passwd,shadow\} and /etc/group respectively, inside the chroot. The main user will be exactly the same UID as the user that created the jail, same goes for the group. If they are not explicitely added, they will be created with the same name as the jail.
|
Important
|
The jail name is initially the directory in which the jail resides. That name can be changed inside the configuration file rootCustomConfig.sh.
|
Example :
jt new /path/to/example foo bar
This will create a new directory called example containing the jail and once running, the user’s
UID and GID will be mapped to foo and bar respectively. Inside the jail directory /path/to/example
there are 3 notable scripts :
. startRoot.sh (don’t run this directly, use the super script jt)
. rootCustomConfig.sh (where you place your configuration and custom scripting)
. update.sh (this contains the files which are copied by the cp or cpDep command so you can reproduce
and update your jail)
The script startRoot.sh is not meant to be edited. Make your changes in the script rootCustomConfig.sh.
As is, the jailTools creates a jail with only basic apps and a shell (provided by busybox).
Jail commands
A newly created jail includes 2 ways to start the chroot :
-
sudo jt start
This starts the jail and provides you with an interactive shell inside it.
|
Tip
|
You usually want to make this start your programs automatically. This is mostly for applications like firefox, games or anything that you use directly. |
-
sudo jt daemon
This starts the jail in daemon mode. When started, the jailed is placed in the background and puts you back into the calling shell. It will stay running even after you close your terminal. The only way to gain access is through the shell command or, if available, network shell providers like ssh or telnet.
|
Tip
|
You usually want to make this start your services automatically. This is mostly for starting servers and any application that run in the background. |
|
Tip
|
It’s also a good idea to start your jail with sudo jt daemon as is and then you can, as an unprivileged user start your program with jt shell <command>; starting the daemon with sudo makes it possible to setup the firewall and set the networking parameters. All that is left is to start programs that require those accesses as your normal user (using jt shell <command>). |
How to install applications in a jail
To add more applications to the jail, use jt cp command.
Here we show how to copy the application strace to the jail :
jt cp /usr/bin /usr/bin/strace # this is done inside the jail directory itself
Here’s what the arguments mean :
-
/usr/bin
The first path is actually the destination path *inside* the jail that you want to copy your binary to. We could have put /bin if we wanted or any path you want (as long as you take care of setting the PATH correctly in the jail).
-
/usr/bin/strace
This is the path on your base system for the strace application, which, in our case is in our /usr/bin directory.
cp will check all shared object dependencies that strace requires to run and copy them along with the binary itself. This way, you will be able to run the application without doing any more work than that.
|
Important
|
Certain applications also requires specific devices (in /dev) and/or directories to be present, the command cp can not provide those. You will need to figure these either from the manual of these programs or by using the strace program (we purposefully shown how to copy it to a jail for this reason). |
How to Customize the jail
There are 4 vectors of customization for jails. Each
in their own section in rootCustomConfig.sh.
They are :
-
The configuration variables/flags
These are used to toggle features provided in the jail and set various values for configurating for example : the network IP of the jail and if the jail should get internet access.
-
The mount points
These are used specifically to mount external directories inside the jail itself, making the files/directories accessible to the jailed applications. There are 4 kinds of mount points each with their section.
-
the functions
These are used to customize firewall rules.
