As I look to embark on a trip to the sands of Phuket, Thailand in the next 3 hours, I'm pleased to announce that code to implement sandboxing is now up in it's own branch in the git repo. The basic design of this sandbox code has been documented in the blog Building the eBrainPool Linux Container - Part 3 The code is still absolutely alpha and there's a lot of development / testing required before we consider it usable and merge it into the main master branch in the git however it now exists for the brave and the following steps document how to use this.
Using the code requires
- The code in the sandbox branch of the repo.
- A working linux containers (lxc) subsystem on your host.
- The eBrainPool specific lxc container.
Getting the code :
- git clone git://ebrain.in/ebrainpool.git
- git checkout sandboxInstalling Linux Containers (LXC) Please check your distribution specific documentation to install LXC. I'm using Debian and the debian lxc wiki worked quite well for me.
The eBrainPool specific LXC container subsystem
The following steps document how to get the eBrainPool LXC container to start up :
- Download the eBrainPool LXC container core template from http://www.ebrain.in/ebp-container.tar.gz
-
lxc runs various containers and has a default directory under which these containers reside, on my system it is /var/lib/lxc
-
- place the container in this directory
-
- following steps as root or using sudo
-
- now under /var/lib/lxc/ebp-container is a script - I forget the exact name but it's the only script and named something like ./setup-xxx-xxx. What it does is create a bridge interface on the system. It also sets up iptables rules passing packets between a physical interace and this bridge - this I think is unnecessary and will take this off at a later stage.
-
For now run ./setup-xxx-xxx wlan0 (or eth0....at the moment it maybe irrelevant which interface it is forwarded to - however wanna do more testing before taking this off)
- now you can start lxc-start -n ebp-container.
the container can eventually be configured so that it starts up always at system start up automatically.
-
If you reach a stage where you get a login prompt from your container you're good to go.
- the passwords for the container are :
user 1) username: root password: root
user 2) username: ebp password: ebp
-
the config file within ebp-container is designed so that /usr, /bin, /sbin, /lib and /lib64 are bind mounted in read-only (ro) mode with your host system. So the container can run the same binaries as your host system.
-
the container has it's own /etc and has only the user ebp on it. It also has it's own independent /dev.
- the container runs sshd - the binary is on the host but gets launched in the container (no binaries exist in the container) - therefore the host needs sshd Setup instructions for the new code Once you have the lxc template up and running the following steps should help you work with the new sandboxing code.
-
the ebp.conf has changed, it now has a section dedicated to lxc containers, the ebp.conf file uploaded as part of the sandbox branch has values that need to be specified for the ip number of the container, user name on the container to ssh to,port in the container ssh is listening on, etc.
- The new code for the ebp client,on start up, uses the ssh client to connect to the ssh server running in the container. It sets up a port on the host, any connects on this port are forwarded to the sshd in the container. An example of the ssh command that does this is :
ssh -g -L 21010:192.168.100.150:22 ebp@192.168.100.150where 192.168.100.150 is the IP address of the container.
Therefore, the /.ssh/authorized_keys on container now needs to have two sets of keys :
-
the public key in ~/.ebp/clientkeys.pub of the user on the host system that will be running the ebp client. NOTE: do not insert the key in the .ssh directory, but the key in the .ebp directory.
- the public key of any remote user whom we want to allow to run apps from this system need to be into ~/.ssh/authorized_keys of the container.
Therefore the authorized_keys in the ~/.ebp directory of the host system is now redundant. All connections need to be authenticated against the ~/.ssh/authorized_keys in the container.
On my system the continer's authorized_file can be directly accessed at the path /var/lib/lxc/ebp-container/rootfs/home/ebp/.ssh/authorized_keys. Note once again that when we're sharing public keys we need to share the keys in the .ebp directory (clientkeys.pub) but these then need to be placed in the .ssh directory authorized_files in the container.
Well that's all that should be needed. As already mentioned all of this code is still very much in testing. A lot of work is needed. However a lot of work has already been accomplished. If you get all of the above working you should now have all applications running from remote hosts now running inside the sandbox. This means the remote user no longer can mess with your data, your system configuration,passwords,etc and you have full control on the resources the user is allowed to utilize.
Good luck :)