[R] Chrooted R + Rserve

Sun, 03 Feb 2008 08:31:49 -0800 

I successfully chrooted R running Rserve with an unprivileged user,
and thought I'd publish the process.

Attached is a jailkit.ini for use with jailkit;* and a chroot/setuid
wrapper, chwrap.c.

To set up the chroot in, for instance, /var/R; perform:

   mkdir -v /var/R
   jk_init -v -c jailkit.ini -j /var/R R

then create the unprivileged user `r':

   useradd r

After compiling chwrap with:

   gcc -o chwrap chwrap.c

finally invoke Rserve with r's uid and gid (see /etc/passwd):

   chwrap [UID] [GID] /var/R /usr/local/bin/Rserve

-----------
* http://olivier.sessink.nl/jailkit

[strace]
executables = /usr/bin/strace

[uidbasics]
comment = common files for all jails that need user/group information
libraries = /lib/libnsl.so.1, /lib/libnss_compat.so.2, /lib/libnss_files.so.2
regularfiles = /etc/nsswitch.conf
users = r
groups = r

[ldconfig]
executables = /sbin/ldconfig
regularfiles = /etc/ld.so.conf

[shell]
executables = /bin/sh, /bin/rm, /bin/sed, /bin/uname

[R]
executables = /usr/local/bin/R, /usr/local/bin/Rserve, /usr/local/bin/Rserve.dbg
paths = /proc/meminfo, /etc/Rserv.conf
directories = /usr/local/lib/R, /usr/local/Rserve
devices = /dev/tty, /proc/self/fd/0
emptydirs = /tmp
includesections = ldconfig, strace, shell, uidbasics

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

int main(int argc, char *argv[], char *envp[])
{
  enum { PROG, UID, GID, ROOT, EXEC, ARGC };
  uid_t *uid = malloc(sizeof(uid));
  gid_t *gid = malloc(sizeof(gid));
  char *p, *e;

  if (argc < ARGC) {
    fprintf(stderr, "USAGE: %s UID GID ROOT EXEC [ARGS]\n", argv[0]);
  } else {
    sscanf(argv[UID], "%d", uid);
    sscanf(argv[GID], "%d", gid);
    p = argv[ROOT];
    e = argv[EXEC];

    if (chdir(p)) {
      printf("chdir to %s failed: %s", p, strerror(errno));
    } else if (chroot(p)) {
      printf("chroot to %s failed: %s", p, strerror(errno));
    } else if (setgid(*gid) != 0) {
      printf("setgid failed: %s", strerror(errno));
    } else if (setuid(*uid) != 0) {
      printf("setuid failed: %s", strerror(errno));
    } else {
      free(uid);
      free(gid);
      execve(e, argv + EXEC, envp);
      printf("execve failed: %s", strerror(errno));
    }
  }
  exit(1);
}

______________________________________________
R-help@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

Reply via email to