V1.0 (c) 2015, UCL, Dr. Andrew C.R. Martin

chrootperl is a small wrapper to perl to allow it to be run in a chroot'ed sandbox.

Edit the chrootperl.cfg file.

You must specify the directory you wish to use for your sandbox ($SANDBOX)

Note: Placing the sandbox in /tmp or /var/tmp may well not work owing to SELinux and advanced permissions.

The config file also allows you to specify:

• any additional executables that you need to be able to run - they will all be placed in $SANDBOX/bin. bash and perl will be automatically available ($EXES)
• any additional directories that you will need to run your Perl scripts. /bin, /lib and /lib64 will be automatically available as well as /run which is used to store the Perl script ($DIRS)
• the destination where the chrootperl executable will live. If not specified, this is /usr/local/bin, but you must ensure that if this is and NFS export that it is exported with NO_ROOT_SQUASH on the machines on which you wish to use the program. ($DEST)

Now run the makesandbox.pl script:

./makesandbox.pl

This creates the required directories, copies in the system executables and any libraries that they use. * See also the Additional Install notes below *

Now source the config file and compile the chrootperl program:

source ./chrootperl.cfg
make

Note that you must have sudo permissions to do chmod and chown and will be prompted for your password.

You can then install the program in $DEST by typing

make install

Run the program in the same way that you would run perl on the command line:

./chrootperl script.pl arguments

Remember that the perl script can only see within your sandbox, so any files you need must be copied into the sandbox first.

NOTE: The script will remain in the $SANDBOX/run directory. You will need to delete it manually.

1. Check that the chrootperl program is owned by root chown root:root chrootperl

2. Check that the chrootperl program has the setuid bit set chmod u+s chrootperl

3. Check that the filesystem where the chrootperl executable lives either a) is locally mounted or b) is exported over NFS with the no_root_squash option set (see /etc/exports on the NFS server).

To test the installation, run the shell scripts in the test sub-directory:

cd test
./runtest1.sh

This runs the perl script test1.pl in the sandbox. This script prints some text and prints the results of ls /bin. Depending on what executables you have installed, results will be something like:

Hello World
bash
cat
ls
perl

cd test
./runtest2.sh

This copies the file test2.dat into $SANDBOX/tmp and then runs the perl script test2.pl in the sandbox, passing it /tmp/test2.dat as a parameter. The script simply prints the contents of the file specified on the command line so the results should be the same as the contents of test2.dat:

one
two
three
four
five

A simple demonstration is provided in the examples/html directory. This installs a simple HTML page containing two forms in ~/public_html/chrootperl/ together with a normal Perl CGI script that reads the form and then runs chrootperl on that script passing it a text file as a parameter.

For this to work, your Apache configuration must either be set up to allow CGI scripts to be executed in your public_html directory with a .cgi extension being recognized as a CGI scipt, or must have AllowOverride All set to allow a .htaccess file to enable these settings.

After installing chrootperl, install the demo by doing:

cd examples/html ./install.sh

If you wish to change the location of the sandbox without editing the chrootperl.cfg file, you can instead create the sandbox using:

source ./chrootperl.cfg
export SANDBOX=/path/to/my/sandbox
./makesandbox.pl -sandbox=$SANDBOX
make clean; make; make install

When installing the HTML form demo, you may also override the location of the sandbox that is specified in the chrootperl.cfg file by specifying it on the command line. e.g.

cd example/html
./install.sh $SANDBOX