Talk:Jail Dropbox

I have followed these excellent instructions to a tee and I get the following error: "jail: execve : No such file or directory" The first set of error messages found by strace are:

access("/etc/ld.so.preload", R_OK)     = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/tls/x86_64/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/tls/x86_64", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/tls/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/tls", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/x86_64/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/x86_64", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist", {st_mode=S_IFDIR|0755, st_size=2552, ...}) = 0 open("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/tls/x86_64/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/tls/x86_64", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/tls/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/tls", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/x86_64/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/x86_64", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory) open("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib/libpthread.so.0", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/chroot/dropbox/home/dropbox/.dropbox-dist/../lib", 0x7fffb61a59d0) = -1 ENOENT (No such file or directory)

This version of dropbox worked on this system before I tried to jail it, by the way. Any ideas? --Jnorvell 05:02, 9 September 2010 (GMT) Link title

Can't get this to work at all. The chroot part seems incomplete or inaccurate. I've added MY_USERNAME MY_HOST=(dropbox) NOPASSWD: /usr/bin/jail -c /home/dropbox/.dropbox-dist/dropboxd But the following (as user MY_USERNAME) does not work (prompts me for password!) $ sudo -b -u dropbox -H -i /home/dropbox/.dropbox-dist/dropboxd

Shame - this tutorial seems almost there - except the bit that makes it work ;)

The fix for: "jail: execve : No such file or directory" Appears to be here: http://www.gentoo-wiki.info/Jail

A bit of editing, now it should work!
I followed the instructions, and found at least not a few mistakes. There was no discussion about mounting dev or proc into the jail. That leads to the following useless error:

Couldn't start Dropbox This is usually because of a permissions error. Errors can also be caused by your home folder being stored on a network share.

Get more help at https://www.dropbox.com/c/help/permissions_error?cl=en_US

I copied the strace binary into the jail, and examine the dump as the dropbox user. The first obvious error was:

open("/proc/meminfo", O_RDONLY)        = -1 ENOENT (No such file or directory)

which disappears when we mount proc. There are then errors involving dev, but I didn't bother to log them (they are resolved by mounting dev). A chroot jail security expert needs to review mounting dev and proc. However, merely copying device files will likely cause problems on reboot, and we need to dynamically interact with some processes I imagine, so if chroot jails can work at all safely, I guess this is a normal procedure (everyone had to do this to chroot when they installed Gentoo! How was this overlooked!!)

Another issue was that there was no reminder to re-copy resolv.conf into the jail if the network changes. That note is now in two places.

Finally, the Python shared objects _md5.so and _sha.so which need to be copied had the copy location to the wrong place, and the instruction was not in the correct order. This needs to happen after we download and unpack dropbox, not before (and certainly putting them into the root tree makes no sense -- they should go into the dropbox home .dropbox-dist directory!)

I can confirm these instructions work, because once I got it working, I started from scratch, wrote a single shell script to do all the work, and after executing the shell script, copying the dropbox simple shell script, and writing a quick script to be called by the user, everything works over here. I will consider posting that shell script later, but it is about 155 lines. Probably it makes the most sense to just post a single shell script which is commented instead of giving this long list of instructions, which can either be typed incorrectly, or are anyway copy/pasted (so what's the point, just put a single script to do it all). Line by line instructions make sense when there are options the user may choose, but there are basically no options here, except where to install the chroot jail (and my shell script uses a variable for that). Of course, describing what we are doing line by line is useful, but that's what script comments are for ^_^

In fact, I wonder if it is worthwhile to submit the script to the maintainer of the dropbox portage ebuild, and add a USE flag for jail. It's probably a nice idea if all the Portage ebuilds which use binaries can have a jail USE flag and the option to automatically install the binaries into jails for security. Thoughts? Daid 08:59, 17 January 2012 (GMT)

Shell script to just do it
Here is the shell script I wrote today, based on these instructions (with some improvements and changes of my own).

What the script does NOT do: 1) emerge jail (but it had depcheck)

2) useradd (simple enough anyway, and I don't want a script that makes users on someone's machine)

3) Make the handy little dropbox shell script to cd .dropbox-dist && ./dropboxd

Otherwise it should do everything else. It is assumed to be run by root or sudo.

There could be like one permission mistake or something. Can someone else test this and review it?

It is only for 32-bit since I have no 64-bit system to test on. Please change the environment variables at the top to suit you (I preferred putting the chroot into /var/chroot/dropbox)

The verbosity of output could be truncated, or in the best case done with tee or something into a log file. Let me know what people think. Daid 09:12, 17 January 2012 (GMT)