tech:chroot
Ceci est une ancienne révision du document !
Table des matières
Chroot Linux
Voir :
Chroot Infinite BusyBox with systemd
- switch_root
libpam-chroot: /lib/security/pam_chroot.so
Voir fakeroot et consorts
- fakeroot
- fakeroot-ng
- proot
- rootlesskit (Linux-native “fake root” for rootless containers) and yet slow):
Voir aussi :
- pivot_root
- Docker
- bwrap
- Firejail ex :
firejail --dns=8.8.8.8 firefox - Procenv
chrootont.sh
CHROOTDIR=/home/chroot mkdir ${CHROOTDIR} mkdir ${CHROOTDIR}/{dev,dev/pts,sys,proc,run,etc,bin,lib,lib64,usr,var,var/run,/var/log,var/lib,/etc/init.d,home,tmp,root} mount -t sysfs /sys ${CHROOTDIR}/sys mount -t proc proc ${CHROOTDIR}/proc mount -n -t tmpfs none ${CHROOTDIR}/dev mkdir ${CHROOTDIR}/dev/pts mkdir ${CHROOTDIR}/dev/shm mount -vt devpts -o gid=4,mode=620 none ${CHROOTDIR}/dev/pts mount -vt tmpfs none ${CHROOTDIR}/dev/shm mknod -m 622 ${CHROOTDIR}/dev/console c 5 1 mknod -m 666 ${CHROOTDIR}/dev/null c 1 3 mknod -m 666 ${CHROOTDIR}/dev/zero c 1 5 mknod -m 666 ${CHROOTDIR}/dev/ptmx c 5 2 mknod -m 666 ${CHROOTDIR}/dev/tty c 5 0 mknod -m 444 ${CHROOTDIR}/dev/random c 1 8 mknod -m 444 ${CHROOTDIR}/dev/urandom c 1 9 chown root:tty ${CHROOTDIR}/dev/{console,ptmx,tty} #mknod -m 600 ${CHROOTDIR}/dev/rtc c 254 0 cp -p /etc/hosts /etc/hostname /etc/resolv.conf /etc/nsswitch.conf /etc/host.conf /etc/gai.conf /etc/profile /etc/environment ${CHROOTDIR}/etc/ touch ${CHROOTDIR}/etc/fstab mkdir ${CHROOTDIR}/etc/network cp -p /etc/network/interfaces ${CHROOTDIR}/etc/network mkdir ${CHROOTDIR}/etc/default/ cp -p /etc/default/rsyslog ${CHROOTDIR}/etc/default/ cp -p /etc/default/ssh ${CHROOTDIR}/etc/default/ egrep "^root:|^jibe:^sshd:" /etc/passwd > ${CHROOTDIR}/etc/passwd chroot ${CHROOTDIR} /bin/bash #mount -vt devpts -o gid=4,mode=620 none /dev/pts #mount -vt tmpfs none /dev/shm chroot ${CHROOTDIR} /bin/bash exelist='ls mount ps bash dmesg vim tail'
Exemple avec bash
ldd /bin/bash mkdir ${CHROOTDIR}/lib/x86_64-linux-gnu/ -p cp -p /lib/x86_64-linux-gnu/libncurses.so.5 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libtinfo.so.5 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libdl.so.2 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libc.so.6 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib64/ld-linux-x86-64.so.2 ${CHROOTDIR}/lib64/ cp -p /bin/bash ${CHROOTDIR}/bin/ # Authentification cp -a /etc/pam.* /home/chroot/etc/ cp -a /etc/security /home/chroot/etc/ cp -p /etc/login.defs /home/chroot/etc/ cp -p /etc/securetty /home/chroot/etc/ cp -p /lib/x86_64-linux-gnu/libnss_files.so.2 /home/chroot/lib/x86_64-linux-gnu/libnss_files.so.2 cp -a /etc/rsyslog.* /home/chroot/etc/ cp -p /etc/init.d/rsyslog /home/chroot/etc/init.d/ mkdir /home/chroot/usr/lib cp -a /usr/lib/rsyslog /home/chroot/usr/lib/ mkdir -p /var/spool/rsyslog cp -p /usr/sbin/sshd /home/chroot/usr/sbin/ cp -a /etc/ssh/ /home/chroot/etc/ # Locale cp -a /usr/lib/locale /home/chroot/usr/lib/ #cp -a /usr/share/zoneinfo /home/chroot/usr/share/
Pour top, atop
'xterm': unknown terminal type
cp -a /lib/terminfo /home/chroot/lib/ touch ${CHROOTDIR}/var/log/wtmp touch ${CHROOTDIR}/var/log/auth.log touch ${CHROOTDIR}/var/log/messages ${CHROOTDIR}/var/log/syslog ${CHROOTDIR}/var/log/kern.log ${CHROOTDIR}/var/log/daemon.log ${CHROOTDIR}/var/log/lastlog cp -r /etc/skel /home/chroot/home/jibe touch /home/chroot/home/jibe/.Xauthority chown jibe: -R /home/chroot/home/jibe chroot ${CHROOTDIR} chmod 1777 /home/chroot/tmp #mkdir -p /var/cache/apt/archives/ cp -p /etc/init.d/ssh /home/chroot/etc/init.d/ #Pour les script init (services) cp -a /lib/lsb /home/chroot/lib/
Truc ?
/etc/passwd
chroot:x:1010:1015:,,,:/home/chroot:/usr/local/bin/chrootshell
/usr/local/bin/chrootshell
#! /bin/bash #exec -c /usr/sbin/chroot /home/$USER /bin/bash #sudo /usr/sbin/chroot /home/$USER /bin/bash sudo /usr/sbin/chroot /home/$USER /bin/bash -c "su - jibe"
http://smhteam.info/wiki/index.linux.php5?wiki=ChrooterUnUtilisateur
chroot ALL=(root) NOPASSWD: /usr/sbin/chroot
ATTENTION Grosse faille de sécurité que je n'explique pas (peut-être lié à PAM ou systemd) : Si l'utilisateur ouvre une session graphique avec le compte chrooté, chaque appli graphique sort du chroot. Malgrès mon noyau patché avec Grsecurity
mknod -m 666 /home/chroot/dev/tty8 c 4 8
Dans le chroot
/sbin/getty 38400 tty8
umount ${CHROOTDIR}/{dev/pts,dev,sys,proc,run} umount ${CHROOTDIR} rmdir ${CHROOTDIR}/{dev/pts,dev,sys,proc,run} rmdir ${CHROOTDIR} umount /chroot/* umount /chroot/*
Comment savoir si je suis dans un chroot ?
Les numeros d'inodes peuvent être un indice
ls -id /
Voir http://stackoverflow.com/questions/75182/detecting-a-chroot-jail-from-within
Firejail
Voir : https://firejail.wordpress.com/documentation-2/firefox-guide/
firefail --seccomp --debug firefox
Mount kernel virtual file systems
Source : https://git.yoctoproject.org/poky/plain/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh
sysfs.sh
#!/bin/sh # # SPDX-License-Identifier: GPL-2.0-only # ### BEGIN INIT INFO # Provides: mountvirtfs # Required-Start: # Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Mount kernel virtual file systems. # Description: Mount initial set of virtual filesystems the kernel # provides and that are required by everything. ### END INIT INFO if [ -e /proc ] && ! [ -e /proc/mounts ]; then mount -t proc proc /proc fi if [ -e /sys ] && grep -q sysfs /proc/filesystems && ! [ -e /sys/class ]; then mount -t sysfs sysfs /sys fi if [ -e /sys/kernel/debug ] && grep -q debugfs /proc/filesystems; then mount -t debugfs debugfs /sys/kernel/debug fi if [ -e /sys/kernel/config ] && grep -q configfs /proc/filesystems; then mount -t configfs configfs /sys/kernel/config fi if [ -e /sys/firmware/efi/efivars ] && grep -q efivarfs /proc/filesystems; then mount -t efivarfs efivarfs /sys/firmware/efi/efivars fi if ! [ -e /dev/zero ] && [ -e /dev ] && grep -q devtmpfs /proc/filesystems; then mount -n -t devtmpfs devtmpfs /dev fi
tech/chroot.1743325106.txt.gz · Dernière modification : de Jean-Baptiste