Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't know how to start #176

Open
rayzchen opened this issue Jul 19, 2021 · 3 comments
Open

Don't know how to start #176

rayzchen opened this issue Jul 19, 2021 · 3 comments

Comments

@rayzchen
Copy link

rayzchen commented Jul 19, 2021
edited
Loading

I would like to use nsjail to run a python script with limited permissions, e.g this script:

open("../a.txt", "w+")

I don't want the script to be able to create a file in the parent directory, so I only want to limit their scope of access to the current working directory and/or /tmp. This was my approach:

# ./nsjail -Mo --user 0 --group 99999 -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -T /dev -R /tmp -R . --keep_caps -- python test.py
[I][2021-07-19T20:13:00+0100] Mode: STANDALONE_ONCE
[I][2021-07-19T20:13:00+0100] Jail parameters: hostname:'NSJAIL', chroot:'', process:'python', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, keep_caps:true, disable_no_new_privs:false, max_cpus:0
[I][2021-07-19T20:13:00+0100] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/bin/' -> '/bin/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/lib' -> '/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/lib64/' -> '/lib64/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:false
[I][2021-07-19T20:13:00+0100] Mount: '/usr/' -> '/usr/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/sbin/' -> '/sbin/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/dev' flags: type:'tmpfs' options:'size=4194304' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/tmp' -> '/tmp' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '.' -> '.' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2021-07-19T20:13:00+0100] Uid map: inside_uid:0 outside_uid:0 count:1 newuidmap:false
[W][2021-07-19T20:13:00+0100][5543] void cmdline::logParams(nsjconf_t*)():252 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files
[I][2021-07-19T20:13:00+0100] Gid map: inside_gid:99999 outside_gid:0 count:1 newgidmap:false
[W][2021-07-19T20:13:00+0100][5543] void cmdline::logParams(nsjconf_t*)():262 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files
[E][2021-07-19T20:13:00+0100][5543] bool subproc::runChild(nsjconf_t*, int, int, int)():455 nsjail tried to use the CLONE_NEWCGROUP clone flag, which is supported under kernel versions >= 4.6 only. Try disabling this flag: Invalid argument
[E][2021-07-19T20:13:00+0100][5543] bool subproc::runChild(nsjconf_t*, int, int, int)():460 clone(flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) failed. You probably need root privileges if your system doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your kernel with support for namespaces or check the current value of the kernel.unprivileged_userns_clone sysctl: Invalid argument
[E][2021-07-19T20:13:00+0100][5543] int nsjail::standaloneMode(nsjconf_t*)():146 Couldn't launch the child process

I am running as root. What am I doing wrong? Is this even the right way to do it? I built nsjail by source using make.
@happyCoder92
Copy link
Collaborator

If you're running as root you can try using --disable_clone_newuser.
Or yet better as the warning message suggest compile in/enable unprivileged user namespace and run as non-root.

@disconnect3d
Copy link
Contributor

[E][2021-07-19T20:13:00+0100][5543] bool subproc::runChild(nsjconf_t*, int, int, int)():455 nsjail tried to use the CLONE_NEWCGROUP clone flag, which is supported under kernel versions >= 4.6 only. Try disabling this flag: Invalid argument

Are u running on kernel <4.6? IF so, try passing --disable_clone_newcgroup flag.

Also, why --user 0? You probably shouldn't use the real root user within the jail.

@disconnect3d
Copy link
Contributor

If u want an example where we sandboxed a Python app for a CTF challenge, exposed on a port, see https://github.com/justcatthefish/justctf-2020/blob/master/challenges/pwn_mylittlepwny/private/private/nsjail.cfg and the upper dir etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@happyCoder92 @disconnect3d @rayzchen