dvhh / setuid-sandbox Goto Github PK

What steps will reproduce the problem?

1. modify sandboxme.c so that SANDBOXUSER = current user
2. compile setuid-sandbox on a openvz vm
3. sudo chown root:root sandboxme
4. sudo chmod 4511 sandboxme
5. start sandboxme

What is the expected output? What do you see instead?

I expected the sandbox to start.

I see the output

cap_set_proc: Operation not permitted
Could not adjust capabilities, aborting


What version of the product are you using? On what operating system?

HEAD on centos7

Please provide any additional information below.

I suspect that the reason of failure is because I am inside an openvz container 
but it seemed to me, after reading 
https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment that 
compiling a specific sandbox for development could work.

is the sandbox for development yet another thing, different than the 
setuid-sandbox project.

is there a way to make the setuid-sandbox work inside an openvz container ?

What steps will reproduce the problem?
$ ./sandboxme -c -p -u 2 -- ls

What is the expected output? What do you see instead?

Expected output:
$ ./sandboxme -c -p -u 2 -- ls
Hi from the sandbox! I'm pid=26468, uid=1002, gid=1017, dumpable=N
Executing ls
ls: cannot open directory .: Permission denied

Current output:
Could not properly drop privileges

What version of the product are you using? On what operating system?
revision 2 on linux-2.6.36-rc7

Please provide any additional information below.
Patch attached.

Hi,

I wanted to build the project on CentOS, but I ran into a few errors. It turns 
out that I didn't have libcap-devel installed. easy fix, but I thought it might 
be nice if you made some simple instructions for building.

thanks,
fawce

I wrote a simple program to test sandbox on Linux (Ubuntu), it creates and 
writes something into a file:
    int fd = open("xxx", O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
    write(fd, "something", strlen("something"));

To my understanding if we run this program through SUID sandbox, the file 
shouldn't be able to be created.

However according to test result, the file is still be written to disk. Steps 
detailed as follows:
# build chrome_sandbox
# sudo cp out/Debug/chrome_sandbox sbx
# sudo chown root:root sbx
# sudo chmod 4755 sbx
# sbx filewrite  // this creates a file on disk!

After looking into sandbox/linux/suid/sandbox.c, I found that in 
SpawnChrootHelper(), setrlimit is called to limit file opening. But this is 
only for child process, which will then exits. In parent process the file 
opening is not limited.

To verify, I added the same setrlimit code to parent process, and tried steps 
above again, no file can be written to disk in this case.


So the question is, is this a bug or just the way I'm testing the sandbox is 
wrong?

Sorry, I'm very naive about linux security and os level programming. However 
I'm looking forward to build some sort of sandbox for a pet project. 

In this project, users submit codes in a number of languages, which the webapp 
either compiles+executes or calls an interpreter onto it.

In what ways can setuid-sandbox help here? Would I be able to restrict the 
executables from -

1. accessing files on the server, 
2. doing network io
3. call other programs
4. spawn new threads
5. accessing restricted areas of memory
6. cause possible harm through buffer overflows

Thanks a lot,
Abhishek

sandboxme help includes the following option:
-u3:        Get a unique uid/gid and switch to it

This is a great feature, and would be really useful. I did a quick experiment 
and modified the code to use a non-existent UID and GID on my system. This 
worked successfully, so I was considering modifying the code to look for a 
random uid/gid and assign that to the sandbox. 

It seems pretty inactive here, so I was also thinking of forking the project 
over to github for the sake of convenience. Anyone object to that?