Daemonizing with chroot jails

Tags: programming unix

Diffenbach runs in two modes: debug mode, where it stays attached to the current session and terminal, and daemon mode, where it detaches and runs silently in the background. Now it does, at least.

Until a week ago it only ever ran in debug mode in a tmux session. That’s pretty lame. The daemonization with Python-LUST was “done” in that hand wavy sense that some developers use. I had written the code, but I hadn’t tested it and worked out all of the kinks. Julython came to the rescue, and the Python-LUST integration started working five commits later.

Python-LUST defaults to dropping processes into a chroot jail. This restricts the running process to a tiny slice of the entire file system defined in the process’s configuration file, and it limits several attack vectors including path traversal and exploitation of local binaries.

File descriptors that are opened before the chroot call are carried into the chroot environment. Any files or commands that are needed at any time during the execution of the program must either be opened before the chroot call or be available within the limited chroot environment.

This includes log files, python modules, output directories, and external commands called through the os.system interface, and anything that isn’t opened ahead of time or available within the chroot will result in a thrown exception.

I decided to forgo the chroot capabilities of the Python-LUST library for two reasons:

  1. Diffenbach makes explicit use of external binaries that require additional shared libraries. The footprint of the chroot environment gets big enough to negate many of the benefits of running within a chroot environment. I could compile a static binary of gphoto2 if I really wanted to run Diffenbach in a chroot environment.

  2. Diffenbach is the only custom daemon running on its server, and it doesn’t run arbitrary code or commands fed to it via remote interfaces. That significantly lowers the threat level.

I also learned a bit about how dropping privileges works, but I’ll save that for my next post. Subscribe if you’re interested in learning more.