Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Mounts in chroot environment
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1179
PostPosted: Sat Sep 01, 2018 11:37 pm    Post subject: Mounts in chroot environment Reply with quote
Hi, I need some help here with chroot. Please help me to figure out if there is some answer to the problem of the Mounts

inside my chroot environment, I have two concerns 1 about the actual chroot and users/groups, the other is about mounts and the use of sudo

Issue 1 (chroot user): chroot can only be accessed from the command line via user root (using linux32 chroot /path/to/chroot /bin/bash)...of course. That is working fine to enter chroot, so I can later use su -l user to switch users to get to regular user. (But see Issue 2 below about sudo as regular user once inside the chroot). The attempt to chroot as a regular user yields the following for an error....
Code:
chroot: cannot change root directory to '/chroot/32bit-Gentoo/': Operation not permitted


The odd thing with this issue is that using SSH to connect as that user has a built in workaround for this since it is able to place me into the chroot using the following code snippet:
Code:
Match group chroots
#Match user root
        X11Forwarding yes
        AllowTcpForwarding no
        ChrootDirectory /chroot/32bit-Gentoo


Issue 2 (mounts and sudo inside chroot): The second issue is when I go to use sudo, inside the chroot, and the mounts won't allow for it (by the way the mounts were done with a script as bind mounts according to the 32-bit chroot guide on the wiki, here's my script https://paste.pound-python.org/show/c4fdIFwsY4hqDK9mwpIW/ and here's what the mounts look like from inside the chroot https://paste.pound-python.org/show/XQIV07Q70EIB7Wnl4eRb/

And I think that must explain why sudo can't execute its code...according to this error message:
Code:
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21633
PostPosted: Sun Sep 02, 2018 12:35 am    Post subject: Reply with quote
chroot is a privileged system call, because clever use of chroot can confuse suid programs into doing things they should not. Theoretically, all such suid programs could be patched to check for dangerous environments before operating, but that would be time-consuming, so in practice, it is simply disallowed.

Your "workaround" with sshd works because sshd is privileged when it makes that call, and this is safe because only the system administrator can configure the chroot that sshd uses. As with many other things, the administrator could still use this insecurely, but if the administrator is competent and careful, it is safe.

Yes, sudo will not work properly when it is stored on a filesystem mounted nosuid. The option nosuid is specifically designed to prevent elevating programs, and sudo is designed specifically to be elevated. You should remove the nosuid flag on that filesystem, or refrain from using sudo (or su).
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1179
PostPosted: Mon Sep 03, 2018 7:05 pm    Post subject: Reply with quote
I am pleased to see that my post made sense, at least now I will remember (as I do forget to read manuals on all these programs, which is usually true for most things I own as well...ha, since I don't own the software though because of GPL or MIT license or what not it would make sense that I become familiar through that method. Thanks for clearing the confusion at least I am aware that the problem is "expected" under the given scenarios. As for the bind mounts themselves and why they are all nosuid, so that I will probably want to review how the script works, which I copied and used directly from the gentoo wiki about 32-bit chroot...we will see I already modified them once. But could I be correct to assume that the order for mounting that with the suid bits is first make sure the operating system is mounted that way, and then (also) make sure that the chroot is mounted in that way as well?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21633
PostPosted: Tue Sep 04, 2018 2:11 am    Post subject: Reply with quote
That's one way to solve it. If you don't specify otherwise, the bind mounts will inherit the mount options of the underlying mount. You probably stored the whole chroot filesystem in a directory on a nosuid mount. You can fix that with appropriate bind mount / remount trickery.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy