View previous topic :: View next topic |
Author |
Message |
LIsLinuxIsSogood Veteran
Joined: 13 Feb 2016 Posts: 1179
|
Posted: Sat Sep 01, 2018 11:37 pm Post subject: Mounts in chroot environment |
|
|
Hi, I need some help here with chroot. Please help me to figure out if there is some answer to the problem of the Mounts
inside my chroot environment, I have two concerns 1 about the actual chroot and users/groups, the other is about mounts and the use of sudo
Issue 1 (chroot user): chroot can only be accessed from the command line via user root (using linux32 chroot /path/to/chroot /bin/bash)...of course. That is working fine to enter chroot, so I can later use su -l user to switch users to get to regular user. (But see Issue 2 below about sudo as regular user once inside the chroot). The attempt to chroot as a regular user yields the following for an error....
Code: | chroot: cannot change root directory to '/chroot/32bit-Gentoo/': Operation not permitted
|
The odd thing with this issue is that using SSH to connect as that user has a built in workaround for this since it is able to place me into the chroot using the following code snippet:
Code: | Match group chroots
#Match user root
X11Forwarding yes
AllowTcpForwarding no
ChrootDirectory /chroot/32bit-Gentoo
|
Issue 2 (mounts and sudo inside chroot): The second issue is when I go to use sudo, inside the chroot, and the mounts won't allow for it (by the way the mounts were done with a script as bind mounts according to the 32-bit chroot guide on the wiki, here's my script https://paste.pound-python.org/show/c4fdIFwsY4hqDK9mwpIW/ and here's what the mounts look like from inside the chroot https://paste.pound-python.org/show/XQIV07Q70EIB7Wnl4eRb/
And I think that must explain why sudo can't execute its code...according to this error message:
Code: | sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
|
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Sun Sep 02, 2018 12:35 am Post subject: |
|
|
chroot is a privileged system call, because clever use of chroot can confuse suid programs into doing things they should not. Theoretically, all such suid programs could be patched to check for dangerous environments before operating, but that would be time-consuming, so in practice, it is simply disallowed.
Your "workaround" with sshd works because sshd is privileged when it makes that call, and this is safe because only the system administrator can configure the chroot that sshd uses. As with many other things, the administrator could still use this insecurely, but if the administrator is competent and careful, it is safe.
Yes, sudo will not work properly when it is stored on a filesystem mounted nosuid. The option nosuid is specifically designed to prevent elevating programs, and sudo is designed specifically to be elevated. You should remove the nosuid flag on that filesystem, or refrain from using sudo (or su). |
|
Back to top |
|
|
LIsLinuxIsSogood Veteran
Joined: 13 Feb 2016 Posts: 1179
|
Posted: Mon Sep 03, 2018 7:05 pm Post subject: |
|
|
I am pleased to see that my post made sense, at least now I will remember (as I do forget to read manuals on all these programs, which is usually true for most things I own as well...ha, since I don't own the software though because of GPL or MIT license or what not it would make sense that I become familiar through that method. Thanks for clearing the confusion at least I am aware that the problem is "expected" under the given scenarios. As for the bind mounts themselves and why they are all nosuid, so that I will probably want to review how the script works, which I copied and used directly from the gentoo wiki about 32-bit chroot...we will see I already modified them once. But could I be correct to assume that the order for mounting that with the suid bits is first make sure the operating system is mounted that way, and then (also) make sure that the chroot is mounted in that way as well? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Tue Sep 04, 2018 2:11 am Post subject: |
|
|
That's one way to solve it. If you don't specify otherwise, the bind mounts will inherit the mount options of the underlying mount. You probably stored the whole chroot filesystem in a directory on a nosuid mount. You can fix that with appropriate bind mount / remount trickery. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|