[prev in list] [next in list] [prev in thread] [next in thread]
List: klik-devel
Subject: [klik-devel] fuseiso patched to support chroot jail
From: lionel.tricon () free ! fr
Date: 2006-12-23 19:39:14
Message-ID: 20061223203914.n2o1sptum0wsgg8o () imp4 ! free ! fr
[Download RAW message or body]
Hi,
I just put on http://lionel.tricon.free.fr/KLIK a workable (but not
perfect) version of klik based on a patched fuseiso source code which
is able to merge data inside the iso image with the real root fs.
I use actually chroot to put the final mixed fs into a jail before
running the application.
As fuse didn't support (ie. is considered to be unsecured) suid and
dev options, we need to bind real /dev, /tmp and /proc directory into
the fs before chroot it (type man mount). After the bind call, the
same contents is accessible in two placesand (for information, it's
usually used to access special devices inside a chroot jail).
To avoid security problems, i wrote a small utility called bindmount
to issue the mount bind command inside the target /tmp/app/ directory
(the binary avoid us to change right permissions to mount unix command).
For the moment, i use the chroot tool but if necessary we can wrote a
specific one similar to bindmount to avoid the need to change right
permissions to 4755 (mandatory for the moment).
You need to have fuse version 2.6.1 installed and you need create an
/etc/fuse.conf file with user_allow_other inside.
You need to change right permissions of fusermount to 4755 and install
the patched fuseiso inside /usr/bin (755).
You will find a workable cmg file (bluefish extracted from suse 10.1)
and a specific .zAppRun script into my homepage/KLIK if you want to
test it. You will find wrapper and wrapper.chroot scripts to put
inside the .cmg image as well.
I'm really interrested to have some feedback about this (new?) approach.
For the moment, the application run almost correctly except that you
cannot write into an existing file (a fuse/SETATTR problem) :
$ cd ~/Desktop
$ echo toto > test.txt
$ echo toto > test.txt
$ echo toto > test.txt
$ echo toto > test.txt
$ bash: test.txt: Function not implemented
"unique: 12793, opcode: SETATTR (4), nodeid: 725, insize: 128
unique: 12793, error: -38 (Fonction non implantée), outsize: 16"
An another annonying problem : if you launch kdissert (or some others
kde applications), it seems impossible up to now to read or write a
file from the file popup : "Le processus traitant le protocole file
s'est arrété de façon inattendu" is the error message. Maybe, it's the
same problem. I don't know.
But it seems very promising if we can fix these problems (to be
honest, i don't know for the moment if that could replace Plash).
Don't hesitate to contact me, specially if you are expert of fuse
filesystems. I considered myself like a newbie about fuse programmation.
Lionel
---------
more details :
$ dmesg | grep fuse
fuse init (API version 7.8)
fuse distribution version: 2.6.1
$ cat /etc/fuse.conf
user_allow_other
Righ permissions :
/usr/bin/chroot -> 4755 -> create specific binary link bindmount to
call chroot() and avoid security issues ??
/usr/bin/fuseiso -> 755
/usr/bin/fusermount -> 4755
/usr/bin/bindmount -> 4755
Inside .zAppRun :
mkdir -p /tmp/app/1/mnt
ln -s /home/lionel/Desktop/bluefish.cmg /tmp/app/1/image
/usr/bin/fuseiso -n /tmp/app/1/image /tmp/app/1/mnt/ -o allow_root
fuser -k /tmp/app/1/mnt
/usr/bin/fusermount -u /tmp/app/1/mnt/
Inside /tmp/app/1/mnt/wrapper :
/usr/bin/bindmount -m -s /tmp -d /tmp/app/1/mnt
/usr/bin/bindmount -m -s /dev -d /tmp/app/1/mnt
/usr/bin/bindmount -m -s /proc -d /tmp/app/1/mnt
/usr/bin/chroot /tmp/app/1/mnt /wrapper.chroot
/usr/bin/bindmount -u -s /tmp -d /tmp/app/1/mnt
/usr/bin/bindmount -u -s /dev -d /tmp/app/1/mnt
/usr/bin/bindmount -u -s /proc -d /tmp/app/1/mnt
wrapper.chroot is the script which run the application.
_______________________________________________
klik-devel mailing list
klik-devel@kde.org
https://mail.kde.org/mailman/listinfo/klik-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic