Running InterMapper in a CHROOT Jail on Linux

Running InterMapper in a CHROOT Jail on Linux

It is possible to run InterMapper in a Linux "chroot jail." This prevents the InterMapper program from accessing any resources not specified by the network administrator.

These directions assume that InterMapper is installed on a Linux system in /usr/local/bin/intermapperd. We also assume that the configuration file is located in /usr/local/etc/intermapperd.conf with only the User directive configured:

User "bfish"

First obtain the program makejail/ Create a configuration file named intermapperd.py. Replace bfish with the user name on your system of the UID that will run intermapperd (in the jail). For security reasons, this should not be the root user:

chroot="/var/chroot/intermapperd"
testCommandsInsideJail=["/usr/local/bin/intermapperd -d
-f /usr/local/etc intermapperd.conf"]
processNames=["intermapperd", "intermapperauthd"
sleepAfterStartCommand=10
users=["bfish"]
groups=["bfish"]

Become root and create the directory /var/chroot/intermapperd:

cd /var
mkdir -p chroot/intermapperd

Switch back to the makejail directory and execute makejail for the first time:

cd ~/makejail-0.0.5
./makejail intermapperd.py

The makejail program will make a first stab at creating the jail. You must now refine some of the permissions on your jail manually:

cd /var/chroot/intermapperd
mkdir InterMapper_Settings
chown bfish:bfish InterMapper_Settings

Note: Replace bfish above with the user name on your system. The InterMapper_Settings directory will contain runtime settings for intermapperd. You must edit the jail's intermapperd.conf file to use /InterMapper_Settings for it's IM Settings directory. To do this, edit usr/local/etc/intermapperd.conf to be like:

User "bfish"
SettingsFolder "/InterMapper_Settings"

You must make the jail's copy of the intermapperauthd program setuid-root. Otherwise, the jailed intermapperd will not be able to open raw-icmp sockets to send pings or other privileged sockets:

chmod u+s usr/local/bin/intermapperauthd

Run makejail a second time. Now that intermapperd can create its preferences file, makejail can check that everything is there:

cd ~/makejail-0.0.5
./makejail intermapperd.py

Finally, you can test the jail itself, and verify that you can connect with InterMapper Remote. You will want to start intermapperd in debug mode with the -d flag to get the best diagnostics. You also need to use -A to enable access for the remote client:

chroot /var/chroot/intermapperd /usr/local/bin/intermapperd -d
-f /usr/local/etc/intermapperd.conf -A "admin@*.*.*.*"

Once you are comfortable that the jail is set up correctly, you can run the jail with the much shorter command line:

chroot /var/chroot/intermapperd /usr/local/bin/intermapperd
-f /usr/local/etc/intermapperd.conf

Known Issues:

Host name lookups always return an address of 0.0.0.0.