Jail Dropbox

Why should we secure the Dropbox daemon and jail it?
Since many applications today are closed-source, we can not know exactly what the program does. If, due to any reasons, you don't trust the program, you may want to limit its access to files and resources on your system. In this tutorial, we will do so for the daemon of the Dropbox synchronization service. More information about this service can be obtained on the website http://www.getdropbox.com/.

For more information about Chroot and Jail just look at the following sites:

Jail

http://en.wikipedia.org/wiki/Chroot

Configure jail environment
Add the program jail to your system. It will help you create your chrooted environment and add users to it.

At first we have to add a new user to our system. This user will be "jailed" into our chrooted environment and not be able to see anything beyond those boundaries. Therefore it has no access to any files outside /chroot/dropbox/.

Our user will be named "dropbox" and reside in the group "users". Its home-directory from our point of view will be /chroot/dropbox/. However you can choose any folder you like. We just assume /chroot/dropbox in this tutorial. We will focus on its environment inside the jail later. Therefore as priviledged user, we will execute:

Now we create the directory for our chroot environment.

The next thing we have to do is add our user dropbox to the jail. Once more a program from app-misc/jail helps us to do the job. The syntax is as follows:

addjailuser chrootdir userdir usershell username

It its the home entry in the non-chrooted /etc/passwd file of the users. /home/dropbox.
 * 1) chrootdir	The directory of the chrooted environment.
 * 1) userdir	The directory inside the chrooted enviroment where the user will live (i.e. ROOT=/chroot/dropbox), in this example,
 * 1) usershell	The user's shell full path (e.g. /bin/bash)
 * 2) username	The user's name.

Because the programs running in our chrooted environment don't have access to libraries and programs outside the jail, we have to create a new system environemnt in /chroot/dropbox/, i.e. /chroot/dropbox/etc /chroot/dropbox/lib ...

Adding programs and libraries to our new environment
The basic programs are going to be added by addjailsw.

Furthermore we need to add a lot of libraries by ourselves. Therefore, because we want to keep our commands as short as possible, we first change our working directory.

These are needed for Dropbox to work (32bit only!):

For 64bit systems your libraries directory is called lib64 instead of just lib, i.e.:

We now need some config files (32bit only!) Newer versions don't seem to need this! IGNORE:

But we do seem to need some python modules (make sure you pick the right one, only ONE!):

and the includes

We need fonts, otherwise everything looks ugly and is unreadable.

For dropbox to be able to resolve dns names, we have to add these libs (32bit only!):

For 64bit systems use:

and add this config file

Please keep in mind that the resolv.conf file is altered if your network connection changes (this is likely to happen with laptops, smart phones, and so on). You will need to copy the file each time it changes into the dropbox chroot jail. This is noted again below in Starting Dropbox.

For a better working environment, i.e. if you have to work as the jailed user in the chrooted environment, it is useful, to do the following:

Fix permissions
It is possible, that the permissions for the system directories in /chroot/dropbox aren't correct. If so, we have to fix that.

Add Dropbox to our environment

 * 1) Now we have to download the dropbox generic linux binaries: http://www.getdropbox.com/download?plat=lnx.x86 or (64bit version) http://www.dropbox.com/download/?plat=lnx.x86_64


 * 1) Un-tar them in /chroot/dropbox/home/dropbox

Then you will have a directory called .dropbox-dist/ in the user's home-directory.

We have to add two Python shared objects manually, since for whatever reason (i don't know :/ ) dropbox doesn't find the lib-dynload files _md5.so and _sha.so where we put them inside the chroot ...

The program dropboxd, which can be found in there, is the daemon for dropbox, which synchronizes the data in a directory of your choice. However it has to be in the chrooted environment, because dropboxd, when run as user dropbox, can't access other directories. It is advisable, to choose the standard directory, i.e. /chroot/dropbox/home/dropbox/Dropbox

Change ownership of files Before we execute dropboxd, we have to set the owner and group of the files correctly, i.e.

Of course, you as normal user want to have control over the Dropbox directory. Therefore we execute (if the directory does not exist, create it)

and can add a symlink to our home directory. For example:

Start Dropbox
We need to mount dev and proc into the jail before we can use the environment:

mount -t proc none /chroot/dropbox/proc mount -o bind /dev /chroot/dropbox/dev

Otherwise, strace on dropboxd will give errors like "open("/proc/meminfo", O_RDONLY)        = -1 ENOENT (No such file or directory)"

There may be a more elegant way to do this without mounting all of dev and proc, but this works. I assume it is secure against chroot jail break, but an expert should confirm, and offer a workaround if it is a problem.

If we are on a system where the network is dynamic, such as a laptop, we probably need to copy the resolv.conf again (this was done during setup, but the network configuration likely changed): cp /etc/resolv.conf /chroot/dropbox/etc/resolv.conf

NOTE: At the moment I only get it to work on the console ... no idea as of yet, why the gui doesn't pop up ... however, at least in my configuration, i only get it to start when i am in the .dropbox-dist folder, otherwise it complains about missing libssl-0.9.8.so or similar. Therefore I created a file called 'dropbox' in the home folder:

Furthermore, dropboxd needs access to your display, to show the tray application. Not giving it these rights, will, at least at my attempts, crash the program. Therefore as the user, who is logged in into kde, gnome, etc. has to execute

(if it is not installed ) which will allow any non-network local connection to the xserver.

Finally we edit our /etc/sudoers file, so that our normal user can execute dropboxd as our jailed user dropbox.

add this line:

then as your normal user, you can execute

Argument Description: execute in this shell
 * 1) -b means run in background
 * 2) -u run as user
 * 3) -H change some environment variables
 * 4) -i  start interactive shell and therefore change necessary environment variables, so that our program can run;

Probably we don't want to do these things every time, so here is a quick shell script to put into your path (it assumes you also set up the shell script above in the dropbox home directory to cd to .dropbox-dist and run dropboxd):

This script copies resolv.conf (if they differ), checks if proc is mounted to the jail (if not it mounts proc to the jail), checks if dev is mounted to the jail (if not it mounts dev to the jail), switches the user to dropbox, and runs the dropbox daemon. Simply issue Ctrl+C to kill the daemon. We should add a Ctrl+C trap which unmounts dev and proc perhaps.

First Use of DropBox
Since there is (as of yet) no GUI mode for jailed dropbox, a new user might be slightly confused how to link their new local dropbox with the dropbox account. First, run dropboxd as per above, logged in as the dropbox user to the dropbox chroot jail. This will complain the client is not linked to any account, and offer a link to click. This message will continue to appear every few seconds. DO NOT KILL THE DAEMON! Visit the assigned link in a web browser, log in to your DropBox account, and enter your password to confirm linking the client with your account. The output will look something like the following:

dropbox@titan ~/.dropbox-dist $ ./dropboxd This client is not linked to any account... Please visit https://www.dropbox.com/cli_link?host_id=xxx to link this machine. This client is not linked to any account... Please visit https://www.dropbox.com/cli_link?host_id=xxx to link this machine. This client is not linked to any account... Please visit https://www.dropbox.com/cli_link?host_id=xxx to link this machine. This client is not linked to any account... Please visit https://www.dropbox.com/cli_link?host_id=xxx to link this machine. This client is not linked to any account... Please visit https://www.dropbox.com/cli_link?host_id=xxx to link this machine. Client successfully linked, Welcome Daid! ^C

If you inadvertently kill the dropboxd before completing the steps required by the link, you will need to do it again, because DropBox will discard the host-id. For the link to be successful, you must see the "Client successfully linked" message at the terminal.

Then the ~/Dropbox directory permission will be fixed to mode 700 regardless of its previous setting. If you are planning to access the Dropbox with your regular user, change the mode to suit your needs (such as 770 with your user in the 'users' group); this mode change will not affect the client/account linking.

Now you can test adding files to the Dropbox directory as you would normally add or move files in your Gentoo system, and they should immediately appear in your DropBox account.