Ok on Nemesis I created a bundle for chromium and can see there are setuid issues.
as guest
Code: Select all
/usr/lib/chromium/chrome-sandbox --help
The setuid sandbox provides API version 1, but you need 0
Please read https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.
as root
Code: Select all
cd /tmp
git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
fatal: unable to access 'https://code.google.com/p/setuid-sandbox/': error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
env GIT_SSL_NO_VERIFY=true git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
Unpacking objects: 100% (89/89), done.
Checking connectivity... done.
Looks like I might be missing the Common Name cert for google.....will check for that later. In the meantime the no verify command is a success.
I seem to recall you had a different issue with git recently as well, so not sure if that has been resolved.
Code: Select all
make
gcc -c -Wall sandboxme.c -o sandboxme.o
gcc -c -Wall privdrop.c -o privdrop.o
gcc -Wall sandboxme.o privdrop.o -o sandboxme -lcap
gcc -c -Wall example.c -o example.o
gcc -c -Wall libsandbox.c -o libsandbox.o
gcc -Wall example.o libsandbox.o -o example
Code: Select all
cd /tmp
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
cd setuid-sandbox/
file sandboxme
sandboxme: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=70ca9107403dcd6a80aae780547bb8efca81ab6c, stripped
chown root:root sandboxme && chmod 4511 sandboxme
ls -al sandboxme
-r-s--x--x 1 root root 13912 Nov 11 23:55 sandboxme
I will pack this into a XZM for you if you like, or you can follow my commands above if you don't trust me? Still new at XZM tho. In the meantime lets cheat
Code: Select all
cp sandboxme /usr/local/bin
mkdir -p /mnt/sda3/nemesis/changes/usr/local/bin
cp sandboxme /mnt/sda3/nemesis/changes/usr/local/bin/
Change pathway to your changes dir ^^^^^^
Ok that should be enough for me try out live things and have my file already saved to changes dir
as guest
Code: Select all
/usr/local/bin/sandboxme -- /usr/lib/chromium/chrome-sandbox
Helper: write to 4 ($SBX_D) to chroot the sandboxed process
Could not find user suidsandbox
Hi from the sandbox! I'm pid=1, uid=1000, gid=100, dumpable=N
Executing /usr/lib/chromium/chrome-sandbox
Warning: we will become dumpable after execve()!
please make /usr/lib/chromium/chrome-sandbox non readable
Usage: /usr/lib/chromium/chrome-sandbox <renderer process> <args...>
as root
Code: Select all
cd /usr/lib/chromium
chmod -r chrome-sandbox
ls -al chrome-sandbox
--ws--x--x 1 root root 18376 Nov 1 15:42 chrome-sandbox
lets cheat again for changes
Code: Select all
mkdir -p /mnt/sda3/nemesis/changes/usr/lib/chromium
cp chrome-sandbox /mnt/sda3/nemesis/changes/usr/lib/chromium
Ok not yet a success but time to reboot into changes to see if I have understood how to use Nemesis/Porteus
OK used changes bootcode lets see if root works
Code: Select all
/usr/local/bin/sandboxme -- /usr/lib/chromium/chrome-sandbox
The sandbox is not designed to be run by root, aborting
useradd suidsandbox
I just added the new user, not sure if I need to change PID/GID etc to match later output
at this stage
Code: Select all
cat /etc/group | grep suid
suidsandbox:x:1001:
hmm well lets just as guest run chromium.....error I had done things
locales are not yet resolved at this stage but lets fix my .config
as root
as guest
now runs as expected but now lets try the sandbox
Code: Select all
/usr/local/bin/sandboxme -- /usr/lib/chromium/chrome-sandbox --use-gl
Helper: write to 4 ($SBX_D) to chroot the sandboxed process
Hi from the sandbox! I'm pid=1, uid=1000, gid=1001, dumpable=N
Executing /usr/lib/chromium/chrome-sandbox
The setuid sandbox provides API version 1, but you need 0
Please read https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
HMMM need to research this......research starts
here is a good page and the original readme
https://chromium.googlesource.com/chrom ... sandbox.md
https://code.google.com/p/setuid-sandbo ... wse/README
In a code box in this post you can find
Could not find user suidsandbox
so as root I ran a command
and could not make a difference.
Now in the research link for the readme it mentions
- by design, can allow a process to become impossible to kill by a user (if the administrator created SANDBOXUSER)
so will now try that
Code: Select all
useradd SANDBOXUSER
useradd: invalid user name 'SANDBOXUSER'