Difference between revisions of "Operating Systems 2021F: Assignment 3"

From Soma-notes
Jump to navigation Jump to search
Line 21: Line 21:
# [2] Run 3000makefs.sh.  Note how it makes a new filesystem in a file, mounts it, and does some initialization.  What command creates most of the files in the new filesystem?  How do you know?  (Suggestion: study each command by running them one at a time and seeing what they do.)
# [2] Run 3000makefs.sh.  Note how it makes a new filesystem in a file, mounts it, and does some initialization.  What command creates most of the files in the new filesystem?  How do you know?  (Suggestion: study each command by running them one at a time and seeing what they do.)
# [1] After 3000makefs.sh runs, you're put in a new shell where / is now the contents of 3000fs, and you can't see anything that wasn't in 3000fs.  Exiting the shell gets you back to where you were.  After exiting, how do you get back to the modified environment?
# [1] After 3000makefs.sh runs, you're put in a new shell where / is now the contents of 3000fs, and you can't see anything that wasn't in 3000fs.  Exiting the shell gets you back to where you were.  After exiting, how do you get back to the modified environment?
# [2] Note that if you run the "id" command in your new shell, it doesn't know the name of any usernames or groups.  Copy files from the rest of the system into 3000fs to restore usernames and group names.  What files did you copy?
# [2] Copy and make nano work in the new environment.  What files did you have to copy to get it to work?  How did you know to copy them?
# [2] Lines 53-57 of 3000makefs.sh is several echo commands.  What are these lines doing?  Do these lines relate to any other parts of the script?
# [2] Lines 53-57 of 3000makefs.sh is several echo commands.  What are these lines doing?  Do these lines relate to any other parts of the script?
# [2] What are lines 26-29 for?  Is it missing anything?  Explain briefly.
# [2] What are lines 26-29 for?  Is it missing anything?  Explain briefly.
Line 28: Line 26:
# [2] If you create files in the confined environment, does it reduce the space available outside of it?  How do you know?
# [2] If you create files in the confined environment, does it reduce the space available outside of it?  How do you know?
# [2] Many files in our confined environment are symbolic links.  How did these files get created?  Why are they symbolic links and not regular files?  Explain their purpose.
# [2] Many files in our confined environment are symbolic links.  How did these files get created?  Why are they symbolic links and not regular files?  Explain their purpose.
# [2] Note that if you run the "id" command in your new shell, it doesn't know the name of any usernames or groups.  Copy files from the rest of the system into 3000fs to restore usernames and group names.  What files did you copy?
# [2] Copy and make nano work in the new environment.  What files did you have to copy to get it to work?  How did you know to copy them?
# [3] How can you add a user "confined" to 3000fs?  Make sure the user also is in a new group "confined" and has a home directory /home/confined (in 3000fs).  This user should only be visible when you're in 3000fs's special shell.  (If you run id when you regularly log in as student to your VM, there should be no user confined.)  Make sure you can run "su - confined" and be logged in as the user confined.
# [3] How can you add a user "confined" to 3000fs?  Make sure the user also is in a new group "confined" and has a home directory /home/confined (in 3000fs).  This user should only be visible when you're in 3000fs's special shell.  (If you run id when you regularly log in as student to your VM, there should be no user confined.)  Make sure you can run "su - confined" and be logged in as the user confined.
# [2] How can you mount the main root filesystem inside of the confined environment?  What does this say about the security properties of a chroot'd environment?
# [2] How can you mount the main root filesystem inside of the confined environment?  What does this say about the security properties of a chroot'd environment?

Revision as of 16:04, 12 November 2021

This assignment is still being developed.

Please submit the answers to the following questions via Brightspace by November 23, 2021 by 10 AM. There are ?? points in ?? questions.

Submit your answers as a plain text file following this template. Name your answer file "<username>-comp3000-assign3.txt" (where username is your MyCarletonOne username).

Your answers will be parsed by a script in order to help with grading so please preserve the format of the template. Make sure the file remains a plain text file! No other formats will be accepted.

Don't forget to include what outside resources you used to complete each of your answers, including other students, man pages, and web resources. You do not need to list help from the instructor, TA, or information found in the textbook.

Background

In this assignment you'll be working with a "chrooted" environment. We'll create a filesystem, mount it, populate it, and then change the current root directory to it so we can use this environment as if it was a completely separate system.

This mini system is rather bare bones initially and many things won't work. You'll be studying how it is put together and figuring out how to add functionality.

Tasks/Questions

Make sure you backup any important files in your VM, as you could erase everything. You've been warned!

  1. [2] Download and inspect 3000makefs.sh. Is there a risk of data loss from running this script? Specifically, what commands (if any) are potentially dangerous?
  2. [2] Run 3000makefs.sh. Note how it makes a new filesystem in a file, mounts it, and does some initialization. What command creates most of the files in the new filesystem? How do you know? (Suggestion: study each command by running them one at a time and seeing what they do.)
  3. [1] After 3000makefs.sh runs, you're put in a new shell where / is now the contents of 3000fs, and you can't see anything that wasn't in 3000fs. Exiting the shell gets you back to where you were. After exiting, how do you get back to the modified environment?
  4. [2] Lines 53-57 of 3000makefs.sh is several echo commands. What are these lines doing? Do these lines relate to any other parts of the script?
  5. [2] What are lines 26-29 for? Is it missing anything? Explain briefly.
  6. [2] What is the largest file we can create in the confined environment? What determines this limit?
  7. [2] If you create files in the confined environment, does it reduce the space available outside of it? How do you know?
  8. [2] Many files in our confined environment are symbolic links. How did these files get created? Why are they symbolic links and not regular files? Explain their purpose.
  9. [2] Note that if you run the "id" command in your new shell, it doesn't know the name of any usernames or groups. Copy files from the rest of the system into 3000fs to restore usernames and group names. What files did you copy?
  10. [2] Copy and make nano work in the new environment. What files did you have to copy to get it to work? How did you know to copy them?
  11. [3] How can you add a user "confined" to 3000fs? Make sure the user also is in a new group "confined" and has a home directory /home/confined (in 3000fs). This user should only be visible when you're in 3000fs's special shell. (If you run id when you regularly log in as student to your VM, there should be no user confined.) Make sure you can run "su - confined" and be logged in as the user confined.
  12. [2] How can you mount the main root filesystem inside of the confined environment? What does this say about the security properties of a chroot'd environment?

Code

3000makefs.sh

#!/bin/bash

# 3000makefs.sh
#
# setup a simple chrooted environment in a new
# filesystem (created in a local file)
#
# Initial version by Anil Somayaji
# created November 12, 2021
#

MP='3000fs'
IMAGE='3000fsimage'
BLOCKS=100000
SETUP='3000setupfs.sh'

if [ $UID != 0 ]; then
    echo "Please run this script as root."
    exit
fi

rm -f $IMAGE
dd if=/dev/zero of=$IMAGE bs=4096 count=$BLOCKS
mkfs.ext4 $IMAGE

if [ -d $MP ]; then
    umount -q $MP/proc
    umount -q $MP
fi

rm -rf $MP
mkdir $MP
mount $IMAGE $MP
cd $MP

mkdir bin sbin usr usr/bin usr/sbin etc proc sys dev root home lib \
      usr/lib  lib64 tmp var var/tmp var/lib run lib/terminfo
cp /usr/bin/busybox usr/bin

cp /bin/bash bin
cp /lib64/ld-linux-x86-64.so.2 lib64
cp /sbin/ldconfig* sbin
cp -a /etc/ld.so.conf* etc

cp `ldd /bin/bash | awk '{print $3}'` lib

chmod 1777 tmp var/tmp

TERMDIR=${TERM:0:1}
mkdir lib/terminfo/$TERMDIR
cp /lib/terminfo/$TERMDIR/$TERM lib/terminfo/$TERMDIR/$TERM

echo '#!/usr/bin/busybox sh' > $SETUP
echo '/usr/bin/busybox --install -s' >> $SETUP
echo '/sbin/ldconfig' >> $SETUP
echo 'mount -t proc proc /proc' >> $SETUP
echo 'mount -t devtmpfs udev /dev' >> $SETUP

chmod 0755 $SETUP
chroot . /$SETUP
rm $SETUP
chroot .