# Installing/running untrusted software

## grant123

Periodically I need to install and run untrusted software that isn't in portage.  Is there a good method for going about that?

----------

## Roman_Gruber

The easiest way would be to use some virtualization software like virtualbox or what they are called like these days.

 *Quote:*   

> * app-emulation/virtualbox
> 
>      Available versions:  4.3.18 (~)4.3.26 (~)4.3.28 {+additions alsa doc extensions headless java +opengl pam pulseaudio python +qt4 +sdk +udev vboxwebsrv vnc ELIBC="FreeBSD" PYTHON_TARGETS="python2_7"}
> 
>      Homepage:            http://www.virtualbox.org/
> ...

 

You could create a new user with a fresh home directory and run teh software there or in a chroot but it depends on what is untrusted. 

or boot up a livecd and run it from there. but i think you ask for something like virtualbox or vmware or whatever else exists in this regard.

i am not sure if such apps are useful or not for you

 *Quote:*   

> * sys-apps/fakeroot
> 
>      Available versions:  1.18.4 1.19 (~)1.20 (~)1.20.2 {acl debug static-libs test}
> 
>      Homepage:            http://packages.qa.debian.org/f/fakeroot.html
> ...

 

it boils down on what you want to run ... and with that knowledge you can choose the right environment than

----------

## NeddySeagoon

grant123,

It depends on your degree of paranoia.

1. don't run untrusted software :)

2. isolate it in its own hardware

3. use some form of virtualisation to isolate it.

4. run it in a live system of some sort (No HDD access at all)

5. Keep it in a chroot jail

6. trust it

I guess that 1 and 6 are not acceptable.

----------

## Jaglover

Define untrusted software. Not being in the portage does not mean it is untrusted. Is there any untrusted FOSS?

----------

## grant123

 *NeddySeagoon wrote:*   

> grant123,
> 
> It depends on your degree of paranoia.
> 
> 1. don't run untrusted software 
> ...

 

Can I set up a user and remove them from (almost?) all groups and run the software as that user and expect it to be reasonably safe?

Jaglover, just stuff I don't feel sure about.

----------

## Jaglover

app-misc/jail is better solution.

----------

## grant123

 *Jaglover wrote:*   

> app-misc/jail is better solution.

 

How secure is it?  Should I expect anything I run in the jail to be completely safe and sandboxed?

Generally, do all applications install and run properly in a jail?

----------

## szatox

chroot is secure if you don't expose anything important inside.

E.g. mounting /dev/ on top of your chroot directory would allow an application you run there to access your hard drives.

I do'nt know much about jail, but it seems to be some kind of helper that creates a chroot zone for you (so you don't have to build second system yourself) and then you end up in a chroot anyway.

So, running a non-priviliged application simply as another user, without access to your files would let you contain the possible damage within a small "don't care" area. Same goes about virtualization, which is more work to setup but rewards you with a system you don't have to worry about in terms of "where that stuff will be installed". Running as separate user on the same system you want to have somethin like $HOME/bin in your $PATH in addition to regular stuff and install those funny things there.

In case of application for windows you can use winecfg to map only particular directories you want that app to have access to.

----------

## Hu

You need to identify your threat model.  If the untrusted application is actively malicious, it could know about kernel bugs that would let it escape the container you put it in.  If it is only untrusted in the sense that you lack confidence that it will not accidentally delete your home directory, then it is much easier to contain.

----------

## grant123

Thanks guys.  It sounds like jail (chroot with ease) is the way to go.  I wouldn't run anything I know to be malicious.

EDIT: Well maybe not as easy as I had hoped.  Can anyone tell me what I did wrong?

```
# mkjailenv /var/chroot

# chroot /var/chroot /bin/bash

chroot: failed to run command ‘/bin/bash’: No such file or directory
```

I tried this but still get the same error:

```
# addjailsw /var/chroot -P bash
```

----------

## Roman_Gruber

maybe a lack of user rights?

did you checked in which group you are in? and which groups are needed by this application?

----------

## NeddySeagoon

grant123,

```
# chroot /var/chroot /bin/bash

chroot: failed to run command ‘/bin/bash’: No such file or directory
```

Either /bin/bash or one of the libs it depends on is missing from the chroot.

lddtree is your friend

```
$ lddtree /bin/bash

/bin/bash (interpreter => /lib64/ld-linux-x86-64.so.2)

    libreadline.so.6 => /lib64/libreadline.so.6

    libncurses.so.5 => /lib64/libncurses.so.5

        libdl.so.2 => /lib64/libdl.so.2

    libc.so.6 => /lib64/libc.so.6
```

You need all those libraries in the chroot.  Some of them my be symlinks to the real thing, in which cane you need the symlink and the real target.

----------

## grant123

Surely whichever apps I end up running will need more than bash.  Do I basically need to do a minimal and manual OS install into the chroot?  I was hoping app-misc/jail would prevent that from being necessary.

----------

## NeddySeagoon

grant123,

lddtree will tell you what you need.  You may not even need bash.  The chroot command does not need to run a shell.

----------

## grant123

 *NeddySeagoon wrote:*   

> lddtree will tell you what you need.  You may not even need bash.  The chroot command does not need to run a shell.

 

I'm getting this:

```
# lddtree runme.sh

runme.sh => ./runme.sh (interpreter => none)

```

----------

## NeddySeagoon

grant123,

That tells that runme.sh is a statically linked binary or not a binary at all.

Regardless, it has no dynamic linking requirements.

----------

## grant123

Well, my goal is to figure out what software I need to add to the chroot in order for it to be able to execute (in this case) runme.sh.  I know the program I'm trying to execute via runme.sh uses java at least.  Is there a good way to do this?

----------

## NeddySeagoon

grant123,

lddtree on the executables listed in the runme.sh script.

----------

## grant123

I'm able to get bash and ls working in the chroot by doing this:

```
# addjailsw /var/chroot -P ls --version

# addjailsw /var/chroot -P bin --version

# cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64
```

But neither work unless I execute that last line.  Why would addjailsw leave that out?

The runme.sh script only references java so I did:

```
# lddtree /usr/bin/java

java => /usr/bin/java (interpreter => none)

# addjailsw /var/chroot -P java --version
```

But in the chroot I get:

```
# ./runme.sh

bash: ./runme.sh: /bin/sh: bad interpreter: No such file or directory
```

Wouldn't it be easier to just extract a stage3 tarball, chroot into it, and emerge whatever I need in there?  Why use app-misc/jail instead?

BTW, do you know if deleting /var/chroot wipes out all of the changes made by the jail commands or is there extra cleanup to do?

----------

## grant123

One more question, will I be able to run GUI apps from the chroot?

----------

## szatox

Yes, but it may (or may not) require tuning some configs. Good news is X11 has been written with networks in mind, and you can still use TCP port instead of default unix socket.

----------

## grant123

What do you think guys?  Am I better off with virtualization, and if so, which?  Is there any virtualization that doesn't require a kernel patch which isn't included in hardened-sources?

----------

## szatox

i think you could have already done that if you tried. http://xkcd.com/1445/

There is no good and wrong way here, there is one you pick and one you dont.

That list of options by Neddy still holds, all of those are valid.

1. don't run untrusted software  :Smile: 

2. isolate it in its own hardware

3. use some form of virtualisation to isolate it.

4. run it in a live system of some sort (No HDD access at all)

5. Keep it in a chroot jail

6. trust it

----------

## el muchacho

Firejail.

It is not just a chroot jail.

It uses namespaces, capabilities, in order to make your process run in a separate namespace. Most of the system is remounted as read-only, and the most dangerous system calls are banned; you can also define if it should have a network stack or not, etc... All of that being configurable.

BUT... firejail is NOT in the official portage tree (I definitely think it should be part of Hardened Gentoo).

https://l3net.wordpress.com/projects/firejail/

----------

