3

I have never set-up a chroot-jailed environment before and I am afraid I need some help to do it well.

To explain shortly what this is all about: I have a webserver to which users send python scripts to process various files that are stored on the server (the system is for Research purpose). Everyday a cron job starts the execution of the uploaded scripts via a command of this kind: 

/usr/bin/python script_file.py

All of this is really insecure and I would like to create a jail in which I would copy the necessary files (uploaded scripts, files to process, python binary and dependencies).

I already looked at various utilities to create jails but none of them seemed up-to-date or were lacking solid documentation (ie. the links proposed in How can I run an untrusted python script)

Could anyone guide me to a viable solution to my problem? like a working example of a script that creates a jail, put some files in it and executes a python script?

Thank you very much.

attwad
  • 131

2 Answers2

0

You need debootstrapchroot, check the instructions on setting up your chroot: https://wiki.kubuntu.org/DebootstrapChroot

jneves
  • 307
  • 1
  • 4
0

You would need quite a lot of libraries in your chroot, and this would not prevent someone from installing a socket server. As you need to allow python scripts to run, that means full access to standard python modules, like socket, etc. I don't really see what you will be able to protect with that chroot?

If a user can create a socket server, he'll be able to connect in that chroot, and access/modify anything.

Even a simple script like os.system('rm -rf /') can't be prevented and would render your jail unusable.

A possible solution would be to use a module like TOMOYO, which can be configured to prevent access based on primitives from the kernel (open, write, etc.).

Gareth
  • 19,080
Luc Stepniewski
  • 401