 |
        |
 |
The sandbox is one of the most interesting features of RUST. It allows you to create RPMs for the programs produced by any source code you can find (that compiles, anyway ;) ). This is usefull in many cases, such as installing software on multiple similar machines or simply when you'd like an easy way to upgrade and eventually remove software from the system.
Within the sandbox, which is a chrooted environment, you can install RPMs as well as source code. This allows you to test installations or untrusted code without endangering your system (the install can only access the filesystem beneath your "new root").
- Creating an RPM from arbitrary sources
Get the source code | Choose and initialize a new root | Compile the code under the new root | change root into the sandbox and install the program | Automatically create the RPM. - Testing installation/verifying untrusted installs
- Tips
1. Creating an RPM from arbitrary sources
As an real world example, we'll create an RPM for Apache from it's source tarball.
To use these features, you'll need to get to know cRUST a bit. As an example, suppose we are to install Apache on multiple servers. Our version of httpd will be tweaked for our own special needs and compiled with support for a few extras, like mod_perl, php or fastcgi. Here are the steps required to create an RPM that can then be installed, upgraded and removed easily on all machines:
Get the source for Apache
Get the .tar.gz source file from http://httpd.apache.org/.
I am using apache_1.3.20.tar.gz. Also get whatever modules you're interested
in.
Choose a new root
The "new root" is a directory that will be the root of our sandboxed environment. Because we will be chrooting to this directory, we need to copy some of the system files to appropriate locations under this new root, so choose a location on a partition with plenty of room.Initialize the new root
We have selected ~/newroot. Now this directory must be initialized and the appropriate files copied over. Do this with a call to cRUST:$ crust --init --copy ~/newroot
The --init causes cRUST to initialize the newroot directory, while the --copy tells it to copy over the files required to chroot, spawn a shell and make the install. In certain cases, you'll need more programs to be copied over into the new root for the installation within the sandbox to work. You can try using the --fullcopy argument instead of --copy (the directories that are duplicated during --copy and --fullcopy are determined by the contents of the /usr/local/rust/conf/rustdirs*.conf files - see the rustdirs.conf(5) manpage for details). You may also use the --include DIR argument, see the crust page or the crust(5)man page for details.
Note that a certain amount of space will be eaten up by this process and that it can take a few minutes (at least 2 minutes are added to the process when doing a fullcopy, just for the md5sum calculations). The good news is that you really only have to do this once, then you can --clean and reuse the directory next time.
Copy the source tarball under the newroot
Copy the source tar.gz to ~/newroot/build. Anything you put under the build subdirectory is ignored by RUST when creating the RPM, so make sure you put it there.$ mv apache_1.3.20.tar.gz ~/newroot/build
Compile the source (but don't install it!)
Go to the build directory$ cd ~/newroot/build
Untar the source and enter the directory
$ tar zxvf apache_1.3.20.tar.gz
$ cd apache_1.3.20Make the code, e.g.
$ ./configure --prefix=/usr/local/apache \
--enable-module=rewrite --enable-shared=rewrite
Take care of any modules, for example$ cd ../php-3.0
$ ./configure --with-apache=../apache_1.3.20Now make it
$ make
Use the sandbox to install it
What we want to do is install apache as we've configured it within the sandbox (completely under ~/newroot), so it won't affect our system and that cRUST will be able to track down what has been installed and make our RPM.
We need to get cRUST to chroot us into the sandbox. Chrooting is reserved to people with root priveledges, so become root
$ su
Now, as root, call cRUST like so:
# crust --chroot /home/username/newroot/
You most likely see the prompt change to something like "bin/sh-2.04#"
Good, you are now in the sandbox. Take a look around an try this:
bin/sh-2.04# pwd
/
bin/sh-2.04# ls
bin build etc lib opt root tmp var
boot dev home mnt proc sbin usrSo, from within our shell, ~/newroot is acting like /
Go into the build directory and make the install:
bin/sh-2.04# cd /build/apache_1.3.20
bin/sh-2.04# make installYour version of apache is now installed, under the newroot. Leave the sandbox, by typing 'exit' or Ctrl-d.
Make sure you own all the files in the newroot. Do a
# chown -R username /home/username/newroot
(replacing 'username' by your own username, of course)Now exit or Ctrl-d again, to leave your rootly powers behind and become a lowly regular user once more.
$
Create the RPM
We can now create the RPM. The easiest way to do this is with the RUST GUI. You can also use cRUST on the command line, for more info see the section on cRUST or the crust(1) manpage.Run rust by selecting Development->rust from the GNOME menu or by simply using a console to
$ rust
Select the new root by clicking New Root->Select...and entering our new root: /home/username/newroot and clicking OK
Because we used cRUST to initialize the newroot, and because cRUST uses md5 checks sums by default (in order to detect modified files), make sure you check the New Root->Use MD5 sum menu item.
Set the properties for the package with Package->Properties... in the menu.
Enter appropriate values for the RPMs name (Apache), version(1.3), release (20), summary and description. Click OK
If you'd like to, you may save the current configuration by doing a File->Save As... and selecting a name, such as apache.rust
Now select Package->Create... from the menu or click the make RPM button. Rust will now check newroot for files which have been added or modified. The program needs to check the contents of all files in the tree, so this can take a number of minutes depending on wether you used the --copy or --fullcopy argument and how much stuff is installed in the relevant directories on your computer.
When the dialog pops up, the process is finished and
you've created the personalized Apache RPM, which may be easily
installed and upgraded or removed from other machines.
You will find the RPM file in your home, under ~/rust/RPMS/i386/
Verify the contents of the package. Do a 'qlp' to list the contents:
$ rpm -qlp ~/rust/RPMS/i386/Apache-1.3-20.i386.rpm
You can clean the new root directory and reuse it later by doing a
$ crust --clean ~/newroot
2. Testing installation/verifying untrusted installs
As demonstrated above, doing a make install within the sandbox forces the installation to proceed completely within the chrooted environment.
To do so, follow the instructions above, up to the install within the sandbox. Once you've exited the chrooted environment, you can manually inspect the newroot tree for added files or run
crust --diff /path/to/newroot
cRUST will produce a list of files added under newroot, and it can detect files that have been modified, using md5 checksums. If you're interests are really solely about security considerations, you may want to have a third party program such as Tripwire, do a more complete check on the newroot before and after the chrooted installation.
If you plan to use the sandbox a lot, it may be a good idea to fully
initialize a directory.
The --fullcopy option may be used instead of
--copy when initializing to make a more complete
mirror of the system under the new root (which will take up more space
on the harddrive).
Exactly which files and directories are copied into the new root is determined
by:
- the contents of the /usr/local/rust/conf/dirs*.list files (see the
rustdirs.conf(5) manpage):
rustdirs.conf
sets the directories to create on --init
rustdirs.cp.conf
indicates which directories and files to mirror in the new root when --copy is
used
rustdirs.fullcp.conf
holds the directories and files which should be mirrored in
addition to those in dirs2cp.list, when --fullcopy is used
- the -I or --include options may be used to include other directories when initializing.
More details on these options may be found in the section on cRUST.
If many users are going to be using the sandbox, it may be worthwhile
to make all the files and directories owned by some group, eg group 'rust',
and read/write/executable by this group. Then make the users that are
allowed to play in the sandbox part of the rust group (usermod
-G rust username).
You can reset which files are recognized as 'new' as opposed to those
comprising the base new root by redoing an --init,
doing:
$ crust --init --copy /path/to/newroot
$ cp myfile /path/to/newroot
$ crust --init /path/to/newroot
means that "myfile" will not be part of the next rpm and will not be removed with --clean.
home | RUST
| cRUST | sandbox | screenshots
| FAQ | download
| mailing list | about
