By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,676 Members | 2,249 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,676 IT Pros & Developers. It's quick & easy.

Exit from os.chroot()

P: n/a
Hello! I'm writing a small script and I need to call the os.chroot function. The problem is, a few lines below I need to call a program in /usr/bin. Is there a way to exit from the chroot, or to limit the chroot to a single function or thread?
Thanks in advance

Jun 27 '08 #1
Share this Question
Share on Google+
4 Replies


P: n/a
support.intranet wrote:
Hello! I'm writing a small script and I need to call the
os.chroot function. The problem is, a few lines below I need to
call a program in /usr/bin. Is there a way to exit from the
chroot, or to limit the chroot to a single function or thread?
Thanks in advance
No, chroot applies to the whole process and once applied it can't
be reverted. Otherwise the whole idea of chroot being a FS jail
would not work.

So you need some programs in your chroot: Then put a directory
usr/bin into the chroot directory and bind the system's /usr/bin
there:

mount --bind /usr/bin $chroot/usr/bin

The same has to be done with all library stuff. Another option
would be to place a statically linked busybox and it's
subprogram links into the chroot

Wolfgang Draxinger
--
E-Mail address works, Jabber: he******@jabber.org, ICQ: 134682867

Jun 27 '08 #2

P: n/a
On 4 Giu, 17:08, Wolfgang Draxinger <wdraxin...@darkstargames.de>
wrote:
support.intranet wrote:
Hello! I'm writing a small script and I need to call the
os.chroot function. The problem is, a few lines below I need to
call a program in /usr/bin. Is there a way to exit from the
chroot, or to limit the chroot to a single function or thread?
Thanks in advance

No, chroot applies to the whole process and once applied it can't
be reverted. Otherwise the whole idea of chroot being a FS jail
would not work.

So you need some programs in your chroot: Then put a directory
usr/bin into the chroot directory and bind the system's /usr/bin
there:

mount --bind /usr/bin $chroot/usr/bin

The same has to be done with all library stuff. Another option
would be to place a statically linked busybox and it's
subprogram links into the chroot

Wolfgang Draxinger
--
E-Mail address works, Jabber: hexar...@jabber.org, ICQ: 134682867
Thanks! I'll try the bind way
Jun 27 '08 #3

P: n/a
>So you need some programs in your chroot: Then put a directory
usr/bin into the chroot directory and bind the system's /usr/bin
there:
>mount --bind /usr/bin $chroot/usr/bin
It is better to make copies of the needed binaries and libraries,
and *only* them.
Or symbolic links, of course. Also, wouldn't links prevent
the process from puffing actual binaries in /usr/bin?
** Posted from http://www.teranews.com **
Jun 27 '08 #4

P: n/a
Thomas Bellman wrote:
That might not be the best idea... Suddenly the chroot:ed
program has access to the real /usr/bin; and since it likely is
running as root (it was allowed to call chroot()), it can do bad
things to the things in /usr/bin.
If a chrooted process is running as root, it can very easily break out
of the chroot anyway. So...
Also remember, a chroot:ing process should permanently relinquish
its privileges as soon as possible after chroot:ing. There are
way too many fun things a root-running process can do even when
chroot:ed, like creating device files or setuid binaries.
....this is imperative.
All this is of course assuming that the chroot is done for
security reasons.
But here's something that might be interesting:

http://kerneltrap.org/Linux/Abusing_chroot

Short story: chroot is not and never has been a security tool.

-- Remy

Jun 27 '08 #5

This discussion thread is closed

Replies have been disabled for this discussion.