V1.0 (c) 2015, UCL, Dr. Andrew C.R. Martin
chrootperl is a small wrapper to perl to allow it to be run in a
chroot'ed sandbox.
Edit the chrootperl.cfg file.
You must specify the directory you wish to use for your sandbox
($SANDBOX)
Note: Placing the sandbox in /tmp or /var/tmp may well not
work owing to SELinux and advanced permissions.
The config file also allows you to specify:
- any additional executables that you need to be able to run - they
will all be placed in
$SANDBOX/bin.bashandperlwill be automatically available ($EXES) - any additional directories that you will need to run your Perl scripts.
/bin,/liband/lib64will be automatically available as well as/runwhich is used to store the Perl script ($DIRS) - the destination where the
chrootperlexecutable will live. If not specified, this is/usr/local/bin, but you must ensure that if this is and NFS export that it is exported withNO_ROOT_SQUASHon the machines on which you wish to use the program. ($DEST)
Now run the makesandbox.pl script:
./makesandbox.pl
This creates the required directories, copies in the system executables and any libraries that they use. * See also the Additional Install notes below *
Now source the config file and compile the chrootperl program:
source ./chrootperl.cfg
make
Note that you must have sudo permissions to do chmod and chown and
will be prompted for your password.
You can then install the program in $DEST by typing
make install
Run the program in the same way that you would run perl on the command line:
./chrootperl script.pl arguments
Remember that the perl script can only see within your sandbox, so any files you need must be copied into the sandbox first.
NOTE: The script will remain in the $SANDBOX/run directory. You
will need to delete it manually.
-
Check that the chrootperl program is owned by root
chown root:root chrootperl -
Check that the chrootperl program has the setuid bit set
chmod u+s chrootperl -
Check that the filesystem where the chrootperl executable lives either a) is locally mounted or b) is exported over NFS with the
no_root_squashoption set (see/etc/exportson the NFS server).
To test the installation, run the shell scripts in the test sub-directory:
cd test
./runtest1.sh
This runs the perl script test1.pl in the sandbox. This script
prints some text and prints the results of ls /bin. Depending on
what executables you have installed, results will be something like:
Hello World
bash
cat
ls
perl
cd test
./runtest2.sh
This copies the file test2.dat into $SANDBOX/tmp and then runs the perl script test2.pl in the sandbox, passing it /tmp/test2.dat as a parameter. The script simply prints the contents of the file specified on the command line so the results should be the same as the contents of test2.dat:
one
two
three
four
five
A simple demonstration is provided in the examples/html
directory. This installs a simple HTML page containing two forms in
~/public_html/chrootperl/ together with a normal Perl CGI script
that reads the form and then runs chrootperl on that script passing
it a text file as a parameter.
For this to work, your Apache configuration must either be set up to
allow CGI scripts to be executed in your public_html directory with
a .cgi extension being recognized as a CGI scipt, or must have
AllowOverride All set to allow a .htaccess file to enable these
settings.
After installing chrootperl, install the demo by doing:
cd examples/html ./install.sh
If you wish to change the location of the sandbox without editing the
chrootperl.cfg file, you can instead create the sandbox using:
source ./chrootperl.cfg
export SANDBOX=/path/to/my/sandbox
./makesandbox.pl -sandbox=$SANDBOX
make clean; make; make install
When installing the HTML form demo, you may also override the location
of the sandbox that is specified in the chrootperl.cfg file by
specifying it on the command line. e.g.
cd example/html
./install.sh $SANDBOX