CHROOT Tutorial?

Tue Sep 18 23:37:09 UTC 2007

kalinix wrote:
> On Tue, 2007-09-18 at 16:31 -0500, Mike McCarty wrote:

[about CHROOT environment he created]

>>>>I see some consequences which are somewhat different from the
>>>>"normal" environment.

[...]

>>>(4) actually you don't have a true login shell so the home directory
>>>in /etc/passwd means nothing. The PWD will be the one you chrooted to
>>
>>It should be a login shell, if one uses login or su -.  Also,
>>if you note, the cd I did transferred me to the $HOME directory
>>in the chroot'ed environment. So, it does mean SOMETHING.
> 
> 
> It's a long debate... the simplest way to check is 'shopt'. If

No need for debate, I hope.

> login_shell is on then you are in a login shell... Mine is off.

Yes, it is for me, as well. However, the original shell is login.
The chroot command doesn't set the login shell option in the shell
it runs in the jailed environment. I suppose someone more adept
with starting shells could supply info on how to make that happen.
I tried to make the shell cd to the chrooted home, and couldn't
(in several minutes, anyway) figure out how to do it and still
run an interactive shell, even though I used -i.

> As for $HOME I guess you're right, although if I try cd I get an error.
> Maybe I should have an /etc/passwd in chrooted env.

The problem you face, I believe, is that the chroot'ed environment
does not *have* a /home/pajaro. I anticipated that, and that's
why I built /home/pajaro/home/pajaro. That puts a home directory
in the chroot'ed environment. I don't think that putting a
copy of /etc/passwd in the jailed environment would fix that.
It would, however, allow whoami and other tools like ls to
give translated user names as opposed to uids. IOW, it would
fix

	# ls -l
	total 4
	drwx------  2 502 502 4096 Sep 18 19:23 pajaro

At least the first 502 would be fixed. The second one would
require a copy of /etc/group.

I believe that there is a way to import the /etc directory,
or at least parts of it, into the jailed environment without
copying and having to maintain the copies in synch.

>>>Not to mention that you can easily break out from that jail.
>>
>>Would you care to elucidate?
> 
> It's not trivial, but still, a skilled person could do
> 
> 
> http://www.unixwiz.net/techtips/chroot-practices.html
> 
> 
> http://www.bpfh.net/simes/computing/chroot-break.html
> 
> a little bit outdated but I'm pretty sure there are many howtos out
> there waiting to be read :D

Ok, I'll have a look. Thanks!

[snip]

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!