Linux 如何在没有 sudo 的情况下以 root 身份在 chroot jail 中运行命令?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3737008/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to run a command in a chroot jail not as root and without sudo?
提问by BCS
I'm setting up a minimal chroot and want to avoid having sudo or su in it but still run my processes as non-root. This is a bit of a trick as running chroot requiers root. I could write a program that does this that would look something like:
我正在设置一个最小的 chroot 并希望避免在其中包含 sudo 或 su 但仍以非 root 身份运行我的进程。这是一个小技巧,因为运行 chroot 需要 root。我可以编写一个执行此操作的程序,该程序如下所示:
uid = LookupUser(args[username]) // no /etc/passwd in jail
chroot(args[newroot])
cd("/")
setuids(uid)
execve(args[exe:])
Is that my best bet or is there a standard tool that does that for me?
这是我最好的选择还是有一个标准工具可以为我做到这一点?
I rolled my own here:
我在这里推出了自己的:
采纳答案by kamae
If you invoke chrootfrom root, the chrootoption --userspec=USER:GROUPwill run the command under the non-root UID/GID.
如果chroot从 root调用,该chroot选项--userspec=USER:GROUP将在非 root UID/GID 下运行命令。
By the way, the option '--userspec' is first introduced in coreutils-7.5 according to a git repository git://git.sv.gnu.org/coreutils.
顺便说一句,根据 git repository ,选项“--userspec”首先在 coreutils-7.5 中引入git://git.sv.gnu.org/coreutils。
回答by Eric Warmenhoven
fakechroot, in combination with fakeroot, will allow you to do this. They'll make all programs that are running act as if they're being run in a chroot as root but they'll actually be running as you.
fakechroot与fakeroot相结合,将允许您执行此操作。它们将使所有正在运行的程序表现得好像它们以 root 身份在 chroot 中运行,但实际上它们会像您一样运行。
See also fakechroot's man page.
另请参阅fakechroot 的手册页。
回答by Corey Henderson
You can make use of linux capabilities to give your binary the ability to call chroot() w/o being root. As an example, you can do this to the chrootbinary. As non-root, normally you'd get this:
您可以利用 linux 功能使您的二进制文件能够调用 chroot() 而无需成为 root。例如,您可以对chroot二进制文件执行此操作。作为非 root,通常你会得到这个:
$ chroot /tmp/
chroot: cannot change root directory to /tmp/: Operation not permitted
But after you run the setcapcommand:
但是在你运行setcap命令之后:
sudo setcap cap_sys_chroot+ep /usr/sbin/chroot
It will let you do the chroot call.
它会让你做 chroot 调用。
I don't recommend you do this to the system's chroot, that you instead do it to your own program and call chroot. That way you have more control over what is happening, and you can even drop the cap_sys_chroot privilege after you call it, so successive calls to chroot in your program will fail.
我不建议您对系统执行此操作chroot,而是对您自己的程序执行此操作并调用 chroot。这样你就可以更好地控制正在发生的事情,你甚至可以在调用后删除 cap_sys_chroot 权限,所以在你的程序中对 chroot 的连续调用将失败。
回答by jthill
A custom chrooter isn't at all hard to write:
自定义 chrooter 一点也不难写:
#define _BSD_SOURCE
#include <stdio.h>
#include <unistd.h>
const char newroot[]="/path/to/chroot";
int main(int c, char **v, char **e) {
int rc; const char *m;
if ( (m="chdir" ,rc=chdir(newroot)) == 0
&& (m="chroot",rc=chroot(newroot)) == 0
&& (m="setuid",rc=setuid(getuid())) == 0 )
m="execve", execve(v[1],v+2,e);
perror(m);
return 1;
}
Make that setuid root and owned by a custom group you add your favored user to (and no 'other' access).
将该 setuid 设为 root 并由您将您喜欢的用户添加到的自定义组拥有(并且没有“其他”访问权限)。
回答by mike510a
You could use Linux Containers to create a chroot environment that is in a totally different namespace (IPC, filesytem, and even network)
您可以使用 Linux Containers 创建一个位于完全不同命名空间(IPC、文件系统甚至网络)中的 chroot 环境
There is even LXD which is able to manage the creation of image-based containers and configure them to run as unprivileged users so that if the untrusted code manages to somehow escape the container, it will only be able to execute code as the unprivileged user and not as the system's root.
甚至还有 LXD 能够管理基于图像的容器的创建并将它们配置为以非特权用户身份运行,这样如果不受信任的代码设法以某种方式逃离容器,它将只能以非特权用户身份执行代码和不作为系统的根。
Search 'Linux Containers' and 'LXD' on your favorite search engine ;)
在您喜欢的搜索引擎上搜索“Linux Containers”和“LXD”;)
