Tuesday, February 16, 2016

Safely Identify Dependencies for Chrooting

The most difficult part of setting up a chroot environment can be identifying the dependencies for the programs you want to copy to the jail. For example, to make the cp command available you not only need to copy its binary from /bin and any shared libraries it depends on, but the dependencies can have their own dependencies that also need to be copied. The internet often suggests using ldd to list a binary’s dependencies, but that has its own problems. The man page for ldd warns not to use the script for untrusted programs because it works by setting a special environment variable and executing the program. What’s a security-conscious systems administrator to do?

The ldd man page recommends objdump as a safe alternative. objdump outputs information about an object file, including what shared libraries it links against. It doesn’t identify the dependencies’ dependencies, but it’s still a good start because it doesn’t try to execute the target file. We can overcome the dep of deps problem later using recursion.

First, let’s look at the output of objdump to see what we have to work with.

$ objdump -p /bin/cp

/bin/cp:   file format elf64-x86-64

Program Header:
   PHDR off    0x00004000 vaddr 0x00400040 paddr 0x00400040 align 2**3
        fliesz 0x000001f8 memsz 0x000001f8 flags r-x
 INTERP off    0x00000238 vaddr 0x00400238 paddr 0x00400238 align 2**0
        fliesz 0x0000001c memsz 0x0000001c flags r-x
Dynamic Section:
 NEEDED    libselinux.so.1
 NEEDED    libacl.so.1
 NEEDED    libattr.so
 NEEDED    libc.so.6
 INIT      0x00402bb8

The libraries we’re interested in are listed under Dynamic Section preceded by NEEDED. We can fetch the list using awk to match those lines and return the second column.

$ objdump -p /bin/cp | awk '/NEEDED/ { print $2 }'

Next, we need to find the actual libraries within the filesystem because the paths are needed to find their dependencies with objdump. We can do this with find to search the root filesystem for each item and print its location.

$ shared=$(objdump -p /bin/cp | awk '/NEEDED/ { print $2 }')
$ for s in $shared; do
>   find / -name "$s" -executable -print -quit
> done

The hard part is behind us—finding a program’s dependencies. The next step is to create a recursive function to identify the dependencies of each dependency.

$ deplibs()(
>  shared=$(objdump -p "$1" | awk '/NEEDED/ { print $2 }')
>  for s in $shared; do
>    dep=$(find / -name "$s" -executable -print -quit)
>    echo "$dep"
>    deplibs "$dep"
>  done
$ deplibs /usr/bin/cp

Invoking the function now gives us a full list... well, almost too full of a list. Notice there are some libraries listed multiple times; because they’re a dependency of multiple items, they’re identified repeatedly by the recursive calls to deplibs. It’s trivial to eliminate the duplicates with sort.

$ deplibs /usr/bin/cp | sort -u

Now you have a safe alternative to lld.

To see how you might take this a step further and use deplibs in a shell script, check out my gist on GitHub of a script to find and copy commands and their dependencies to a chroot filesystem.