Skip to main content

Safely Identify Dependencies for Chrooting

The most difficult part of setting up a chroot environment is identifying dependencies for the programs you want to copy to the jail. For example, to make cp available, not only do you need to copy its binary from /bin and any shared libraries it depends on, but the dependencies can have their own dependencies too that need to be copied.

The internet suggests using ldd to list a binary’s dependencies, but that has its own problems. The man page for ldd warns not to use the script for untrusted programs because it works by setting a special environment variable and then executes the program. What’s a security-conscious systems administrator to do?

The ldd man page recommends objdump as a safe alternative. objdump outputs information about an object file, including what shared libraries it links against. It doesn’t identify the dependencies’ dependencies, but it’s still a good start because it doesn’t try to execute the target file. We can overcome the dependencies of dependencies problem later using recursion.

First, let’s look at the output of objdump to see what we have to work with.

$ objdump -p /bin/cp

/bin/cp:   file format elf64-x86-64

Program Header:
   PHDR off    0x00004000 vaddr 0x00400040 paddr 0x00400040 align 2**3
        fliesz 0x000001f8 memsz 0x000001f8 flags r-x
 INTERP off    0x00000238 vaddr 0x00400238 paddr 0x00400238 align 2**0
        fliesz 0x0000001c memsz 0x0000001c flags r-x
...
Dynamic Section:
 NEEDED    libselinux.so.1
 NEEDED    libacl.so.1
 NEEDED    libattr.so
 NEEDED    libc.so.6
 INIT      0x00402bb8
...

The libraries we’re interested in are listed under Dynamic Section and preceded by NEEDED. We can fetch the list using awk to match those lines and return the second column.

$ objdump -p /bin/cp | awk '/NEEDED/ { print $2 }'
libselinux.so.1
libacl.so.1
libattr.so.1
libc.so.6

Next, we need to find the actual libraries within the filesystem because the paths are needed to find their dependencies with objdump. We can do this with find to search the root filesystem for each item and print its location.

$ shared=$(objdump -p /bin/cp | awk '/NEEDED/ { print $2 }')
$ for s in $shared; do
>   find / -name "$s" -executable -print -quit
> done
/usr/lib/64/libselinux.so.1
/usr/lib/64/libacl.so.1
/usr/lib/64/libattr.so.1
/usr/lib/64/libc.so.6

The hard part is behind us—finding the program’s dependencies. The next step is to create a recursive function to identify the dependencies of each dependency.

$ deplibs()(
>  shared=$(objdump -p "$1" | awk '/NEEDED/ { print $2 }')
>  for s in $shared; do
>    dep=$(find / -name "$s" -executable -print -quit)
>    echo "$dep"
>    deplibs "$dep"
>  done
>)
$ deplibs /usr/bin/cp
/usr/lib64/libselinux.so.1
/usr/lib64/libpcre.so.1
/usr/lib64/libpthread.so.0
/usr/lib64/libc.so.6
/usr/lib64/ld-linux-x86-64.so.2
/usr/lib64/ld-linux-x86-64.so.2
/usr/lib64/libc.so.6
...

Invoking the function now gives us a full list... well, almost too full of a list. Notice there are some libraries listed multiple times. They’re a dependency of multiple items and are identified repeatedly by the recursive calls. It’s trivial to eliminate the duplicates with sort.

$ deplibs /usr/bin/cp | sort -u
/usr/lib64/ld-linux-x86-64.so.2
/usr/lib64/libacl.so.1
/usr/lib64/libattr.so.1
/usr/lib64/libc.so.6
/usr/lib64/libdl.so.2
/usr/lib64/liblzma.so.5
/usr/lib64/libpcre.so.1
/usr/lib64/libpthread.so.0
/usr/lib64/libselinux.so.1

Now we have a safe alternative to lld.

To see how you might take this a step further and use deplibs in a shell script, check out my gist on GitHub of a script to find and copy commands and their dependencies to a chroot filesystem.

Comments

Popular posts from this blog

Geolocation Search

Services that allow users to identify nearby points of interest continue to grow in popularity. I'm sure we're all familiar with social websites that let you search for the profiles of people near a postal code, or mobile applications that use geolocation to identify Thai restaurants within walking distance. It's surprisingly simple to implement such functionality, and in this post I will discuss how to do so.

The first step is to obtain the latitude and longitude coordinates of any locations you want to make searchable. In the restaurant scenario, you'd want the latitude and longitude of each eatery. In the social website scenario, you'd want to obtain a list of postal codes with their centroid latitude and longitude.

In general, postal code-based geolocation is a bad idea; their boundaries rarely form simple polygons, the area they cover vary in size, and are subject to change based on the whims of the postal service. But many times we find ourselves stuck on a c…

Reading Unicode (UTF-8) in C

In working on scanner code for Kiwi I did a bit of reading up on Unicode. It's not really as difficult as one might think parsing UTF-8 character by character in C. In the end I opted to use ICU so I could take advantage of its character class functions instead of rolling my own, but the by-hand method I thought was still worth sharing. Functions like getc() read in a byte from an input stream. ASCII was the predominant encoding scheme and encoded characters in 7-8 bits, so reading a byte was effectively the same as reading a character. But you can only represent 255 characters using 8 bits, far too little to represent all the characters of the world's languages. The most common Unicode scheme is UTF-8, is a multi-byte encoding scheme capable of representing over 2 million characters using 4 bytes or less. The 128 characters of 7-bit ASCII encoding scheme are encoded the same, the most-significant bit is always 0. Other characters can be encoded as multiple bytes but the mo…

Composing Music with PHP

I’m not an expert on probability theory, artificial intelligence, and machine learning. And even my Music 201 class from years ago has been long forgotten. But if you’ll indulge me for the next 10 minutes, I think you’ll find that even just a little knowledge can yield impressive results if creatively woven together. I’d like to share with you how to teach PHP to compose music. Here’s an example: You’re looking at a melody generated by PHP. It’s not the most memorable, but it’s not unpleasant either. And surprisingly, the code to generate such sequences is rather brief. So what’s going on? The script calculates a probability map of melodic intervals and applies a Markov process to generate a new sequence. In friendlier terms, musical data is analyzed by a script to learn which intervals make up pleasing melodies. It then creates a new composition by selecting pitches based on the possibilities it’s observed. . Standing on ShouldersComposition doesn’t happen in a vacuum. Bach was f…