Permiso denegado en la prisión chroot con guión

Intento guiar la creación de una cárcel chroot (sé que hay herramientas para esto, pero estoy interesado en la experiencia, por lo que no recomiendo una herramienta). Tengo un script que busca los commands que deseo que sean ejecutables dentro de la cárcel, busca sus dependencies, sigue los enlaces simbólicos y luego copy todo en la cárcel. Aquí está la configuration del script para Python solamente.

executables=" python " for exe in $executables do # move the executable echo Executable: $exe exe_path=`which $exe` echo READLINK -f $exe_path exe_true_path=`readlink -f $exe_path` exe_dir=`echo $exe_path | grep -o '/.*/'` mkdir -p $1$exe_dir cp -L $exe_true_path $1$exe_path # get the libs for this exe libs=`ldd $exe_true_path | grep -o '/[^()]*'` # move each lib for lib in $libs do echo Library: $lib lib_path=$lib lib_true_path=`readlink -f $lib_path` lib_dir=`echo $lib_path | grep -o '/.*/'` echo MKDIR $1$lib_path mkdir -p $1$lib_path echo CP $lib_true_path $1$lib_path cp -L $lib_true_path $1$lib_path done done 

Parece que funciona bastante bien…

 $ tree . . +-- lib ¦  +-- x86_64-linux-gnu ¦  +-- libc.so.6 ¦  ¦  +-- libc-2.13.so ¦  +-- libdl.so.2 ¦  ¦  +-- libdl-2.13.so ¦  +-- libgcc_s.so.1 ¦  ¦  +-- libgcc_s.so.1 ¦  +-- libm.so.6 ¦  ¦  +-- libm-2.13.so ¦  +-- libpthread.so.0 ¦  ¦  +-- libpthread-2.13.so ¦  +-- libutil.so.1 ¦  ¦  +-- libutil-2.13.so ¦  +-- libz.so.1 ¦  +-- libz.so.1.2.7 +-- lib64 ¦  +-- ld-linux-x86-64.so.2 ¦  +-- ld-2.13.so +-- usr +-- bin +-- python 

Sin embargo, cuando se trata de ejecutar python dentro de esta cárcel, obtengo un error de permissions.

 $ sudo chroot chroot12/ python --version chroot: failed to run command `python': Permission denied 

Incluso después de abrir los permissions, obtengo el error.

 $ chmod -R 777 chroot12/ $ sudo chroot chroot12/ python --version chroot: failed to run command `python': Permission denied 

¿Alguna idea de lo que podría estar causando esto? No comencé a recibir estos errores hasta que introduje el siguiente enlace, pero desafortunadamente no tengo la versión anterior del script para comparar.

¡Gracias por adelantado!

salida de strace

 $ sudo strace -f chroot chroot12 python --version execve("/usr/sbin/chroot", ["chroot", "chroot12", "python", "--version"], [/* 14 vars */]) = 0 brk(0) = 0x11f1000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f926000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=26406, ...}) = 0 mmap(NULL, 26406, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f329f91f000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\360\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1599536, ...}) = 0 mmap(NULL, 3713144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f329f37e000 mprotect(0x7f329f500000, 2093056, PROT_NONE) = 0 mmap(0x7f329f6ff000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x181000) = 0x7f329f6ff000 mmap(0x7f329f704000, 18552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f329f704000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f91e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f91d000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f329f91c000 arch_prctl(ARCH_SET_FS, 0x7f329f91d700) = 0 mprotect(0x7f329f6ff000, 16384, PROT_READ) = 0 mprotect(0x607000, 4096, PROT_READ) = 0 mprotect(0x7f329f928000, 4096, PROT_READ) = 0 munmap(0x7f329f91f000, 26406) = 0 brk(0) = 0x11f1000 brk(0x1212000) = 0x1212000 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=1534672, ...}) = 0 mmap(NULL, 1534672, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f329f7a5000 close(3) = 0 chroot("chroot12") = 0 chdir("/") = 0 execve("/usr/local/sbin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory) execve("/usr/local/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory) execve("/usr/sbin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory) execve("/usr/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 EACCES (Permission denied) execve("/sbin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory) execve("/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 ENOENT (No such file or directory) open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "chroot: ", 8chroot: ) = 8 write(2, "failed to run command `python'", 30failed to run command `python') = 30 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, ": Permission denied", 19: Permission denied) = 19 write(2, "\n", 1 ) = 1 close(1) = 0 close(2) = 0 exit_group(126) = ? 

La única forma en que puedo reproducir el error:

 execve("/usr/bin/python", ["python", "--version"], [/* 14 vars */]) = -1 EACCES (Permission denied) 

… está haciendo que el cargador dynamic ELF no sea ejecutable.

Esto funciona:

 $ ls -l chroot12/lib64/ld-linux-x86-64.so.2 -rwxr-xr-x 1 root root 149280 Oct 30 16:22 chroot12/lib64/ld-linux-x86-64.so.2 

Esto no:

 $ ls -l chroot12/lib64/ld-linux-x86-64.so.2 -rw-r--r-- 1 root root 149280 Oct 30 16:22 chroot12/lib64/ld-linux-x86-64.so.2 

Asegúrese de que chroot12/lib64/ld-linux-x86-64.so.2 tenga permiso de ejecución.