Re: [Jailkit-users] ERROR: [directory] is not owned by root:root

[Olivier Sessink]

Gregory Piñero wrote:
> Hi all,
>
> Here's the issue I'm having.  Hopefully you can help.
>
> I downloaded the latest version of jailkit from the website and
> installed it here, following the instructions:
> /home/chiefinnovator/utilitymill_alpha/secure_run_research/jailkit-2.4
>
> My end goal is to create a jailed instance of the Python interpreter.
>
> So next I created the jail folder:
> /home/chiefinnovator/utilitymill_alpha/secure_run_research/jail_for_python
>
> And next I tried to copy Python into it:
> address@hidden:~/utilitymill_alpha/secure_run_research$
> sudo jk_cp jail_for_python/ /usr/bin/python
> ERROR: 
> /home/chiefinnovator/utilitymill_alpha/secure_run_research/jail_for_python
> is not owned by root:root!
>
> So I changed that directorie's owner and group to root and ran it again:
> address@hidden:~/utilitymill_alpha/secure_run_research$
> sudo jk_cp jail_for_python/jail/ /usr/bin/python
> ERROR: /home/chiefinnovator/utilitymill_alpha/secure_run_research is
> not owned by root:root!
>
> So I changed the owner of secure_run_research to root and ran it again:
> address@hidden:~/utilitymill_alpha/secure_run_research$
> sudo jk_cp jail_for_python/ /usr/bin/python
> ERROR: /home/chiefinnovator/utilitymill_alpha is not owned by root:root!
>
> So as you can see, it just keeps working it's way up the directory
> tree, wanting everything to be owned by root.
>
> What is going on?

a chroot jail directory that can be modified by a user is a security 
risk. (anybody who can change libc can gain local root privileges)

If one of the parent directories of the jail is owned by another user, 
the user cannot modify the jail, but the user can rename the parent, and 
then create a new directory with the name of the jail, and then modify 
it. So also in that case, there is a security risk.

That's why jailkit checks for this situation.

regards,
        Olivier