Firejail: Chroot -- /etc/resolv.conf file as symlink being rejected

Created on 9 Nov 2017  路  5Comments  路  Source: netblue30/firejail

@netblue30

Tested with version 0.9.50.1 from the 0.9.50-bugfixes branch.

When installing the resolvconf package under Debian 9/Stretch, the /etc/resolv.conf file is a symlink pointing to /etc/resolvconf/run/resolv.conf and /etc/resolvconf/run is a symlink pointing to the /run/resolvconf directory. In short, the real resolv.conf file
is a dynamic (volatile) file which real path is /run/resolvconf/resolv.conf:

root@stretch:~# ls -la /etc/resolv.conf 
lrwxrwxrwx 1 root root 31 nov.   9 16:39 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
root@stretch:~# ls -la /etc/resolvconf/run
lrwxrwxrwx 1 root root 15 nov.   9 16:39 /etc/resolvconf/run -> /run/resolvconf
root@stretch:~# ls -la /run/resolvconf/resolv.conf 
-rw-r--r-- 1 root root 172 nov.   9 16:45 /run/resolvconf/resolv.conf
root@stretch:~# realpath /etc/resolv.conf 
/run/resolvconf/resolv.conf
root@stretch:~#

For our project, we are creating a chroot and of course, our chroot is containing identical layout for the resolv.conf file:

root@stretch:/var/chroot/InstantSSH/shared_jail# chroot .
root@stretch:/# ls -la /etc/resolv.conf 
lrwxrwxrwx 1 root root 31 nov.   9 17:12 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
root@stretch:/# ls -la /etc/resolvconf/run
lrwxrwxrwx 1 root root 15 nov.   9 17:12 /etc/resolvconf/run -> /run/resolvconf
root@stretch:/# ls -la /run/resolvconf
total 12
drwxr-xr-x 2 root root 4096 nov.   9 17:12 .
drwxr-xr-x 6 root root 4096 nov.   9 17:12 ..
-rw-r--r-- 1 root root  172 nov.   9 16:45 resolv.conf
root@stretch:/#

Problem is that firejail reject the /etc/resolv.conf file:

nuxwin@dev:~$ ssh [email protected]

  ___           _              _      ____ ____  _   _
 |_ _|_ __  ___| |_ __ _ _ __ | |_   / ___/ ___|| | | |
  | || '_ \/ __| __/ _` | '_ \| __|  \___ \___ \| |_| |
  | || | | \__ \ || (_| | | | | |_    ___) |__) |  _  |
 |___|_| |_|___/\__\__,_|_| |_|\__|  |____/____/|_| |_|


Welcome to your shell.

If you need a specific command, get in contact with your reseller.

i-MSCP InstantSSH plugin v6.0.0
Copyright (c) 2014-2017 Laurent Declercq <[email protected]>

Last login: Thu Nov  9 17:13:33 2017 from 192.168.1.100
Error: invalid /var/chroot/InstantSSH/shared_jail/etc/resolv.conf file
Connection to 192.168.1.133 closed.
nuxwin@dev:~$

Well, this is due to the following check in fs.c file

    if (is_link(name)) {
        fprintf(stderr, "Error: invalid %s file\n", name);
        exit(1);
    }

Environment

root@stretch:/var/chroot/InstantSSH/shared_jail# LANG=C lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.1 (stretch)
Release:    9.1
Codename:   stretch

```shell
root@stretch:/var/chroot/InstantSSH/shared_jail# LANG=C aptitude show resolvconf
Package: resolvconf
Version: 1.79
State: installed
Automatically installed: no
Priority: optional
Section: net
Maintainer: resolvconf maintainers resolvconf-devel@lists.alioth.debian.org
Architecture: all
Uncompressed Size: 196 k
Depends: ifupdown, lsb-base (>= 4.1+Debian3), debconf (>= 0.5) | debconf-2.0, init-system-helpers (>= 1.18~)
Breaks: dhcp3-client (< 4.1.1-P1-15+squeeze1), dnscache-run, sysv-rc (< 2.88dsf-42)
Enhances: dhcpcd, dnsmasq, ifupdown, isc-dhcp-client, libc6, network-manager, nscd, pdnsd, ppp, pump, udhcpc
Provided by: openresolv (3.8.0-1)
Description: name server information handler
Resolvconf is a framework for keeping up to date the system's information about name servers. It sets itself up as the intermediary between programs that supply this information (such as ifup and ifdown, DHCP
clients, the PPP daemon and local name servers) and programs that use this information (such as DNS caches and resolver libraries).

This package may require some manual configuration. Please read the README file for detailed instructions.
Homepage: http://alioth.debian.org/projects/resolvconf/
Tags: admin::configuring, interface::commandline, network::configuration, protocol::dns, role::program, use::configuring

```shell
root@stretch:/var/chroot/InstantSSH/shared_jail# firejail --version
firejail version 0.9.50.1

Compile time support:
    - AppArmor support is disabled
    - AppImage support is enabled
    - bind support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - git install support is disabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is disabled

root@stretch:/var/chroot/InstantSSH/shared_jail#
bug
Source
picture nuxwin

All 5 comments

@netblue30

Also, with dev-master, another error is raised in place:

nuxwin@dev:~$ ssh [email protected]

  ___           _              _      ____ ____  _   _
 |_ _|_ __  ___| |_ __ _ _ __ | |_   / ___/ ___|| | | |
  | || '_ \/ __| __/ _` | '_ \| __|  \___ \___ \| |_| |
  | || | | \__ \ || (_| | | | | |_    ___) |__) |  _  |
 |___|_| |_|___/\__\__,_|_| |_|\__|  |____/____/|_| |_|


Welcome to your shell.

If you need a specific command, get in contact with your reseller.

i-MSCP InstantSSH plugin v6.0.0
Copyright (c) 2014-2017 Laurent Declercq <[email protected]>

Last login: Thu Nov  9 17:17:56 2017 from 192.168.1.100
Error: chroot /etc/resolv.conf is pointing outside chroot
Connection to 192.168.1.133 closed.
nuxwin@dev:~$

I saw that you added some fixes lately regarding the /etc/resolv.conf file but now we end with an false error:

Error: chroot /etc/resolv.conf is pointing outside chroot

As you can see in my quotes above, that is totally false. I'm wonder why you're doing so many checks on the resolv.conf file. All that checks make your life harder and instead of improving security, you're breaking the whole chroot feature. A check on file owner and permission (not world-writable) should be sufficient here. The /etc/resolv.conf file can be dynamic (that is far most case now) and therefore is a symlink in most cases.

nuxwin picture nuxwin on 9 Nov 2017

If /etc/resolv.conf isn't world readable on your system, then something is not behaving correctly. At least glibc, and I'm pretty sure uClibc and whatever musl uses for networking functions, need that file readable to resolve hostnames properly when configured to use DNS. Most other DNS resolver libraries need it too. That requirement is why it's so important. If somebody spoofs the file in some way, they have functionally full control of what systems you talk to on the network, and can potentially trick you into thinking your external hostname is something else.

That said, the file should not be world-writable, as that would make such spoofing absolutely trivial.

Ferroin picture Ferroin on 9 Nov 2017
👍1

@Ferroin

Sorry, you're right. It is world-readable and MUST be world-readable. I wanted say not world-writable ;) I'll edit my previous post.

nuxwin picture nuxwin on 9 Nov 2017

The logic is broken. There should be no checking on /etc/resolv.conf, the file is replaced anyway by firejail with the real /etc/resolv.conf. I put a fix in https://github.com/netblue30/firejail/commit/ac0d75f9431f28e0f2aa583d073c300883197e2e

netblue30 picture netblue30 on 10 Nov 2017
👍1

@netblue30

Thanks ;) I'll checkout and give a try soon ;)

nuxwin picture nuxwin on 12 Nov 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thiswillbeyourgithub picture thiswillbeyourgithub  路  3Comments
polyzen picture polyzen  路  4Comments
Fincer picture Fincer  路  4Comments
francoism90 picture francoism90  路  4Comments
kmotoko picture kmotoko  路  3Comments