Установка archlinux arm рядом с android без chroot
Содержание:
- Create the chroot
- Без прав суперпользователя
- Montare pseudo filesystem
- Using piuparts
- Why Install Linux on Your Android Device?
- Getting and installing debootstrap
- Заполнение chroot-окружения
- Tips and tricks
- Notes
- Configuration
- Управление идентификацией
- chroot command examples
- Когда не нужно использовать chroot?
- Setting up a dchroot (non-root) environment
- Setting up your chroot with debootstrap
- A note about chrooting apps on a Linux or Unix-like systems
- Apt package caching
- Unknown key B4C86482705A2CE1
Create the chroot
To get started so you may build packages for Debian unstable, run the following.
sudo apt-get install sbuild schroot debootstrap sudo sbuild-adduser $LOGNAME cp /usr/share/doc/sbuild/examples/example.sbuildrc $HOME/.sbuildrc # copy example config into your home as suggested sudo apt install apt-cacher-ng ... *logout* and *re-login* or use `newgrp sbuild` in your current shell sudo sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/unstable-amd64-sbuild http://127.0.0.1:3142/deb.debian.org/debian
Now for a brief explanation on what these commands do.
- Install sbuild onto the system.
-
This will add your username so that it may use the sbuild command. Additional users may be added by running sudo sbuild-adduser USER1 USER2 .... sbuild-adduser will prompt you to copy the template sbuild configuration in /usr/share/doc/sbuild/examples/example.sbuildrc to each user’s ~/.sbuildrc, to be used as their user sbuild configuration. You can customize sbuild settings here, but you usually won’t need to customize anything. This should be done once per user.
- Copy the sbuild template configuration to your home folder.
- Install apt-cacher-ng, to cache packages needed in your sbuild usage
- Update the active user group set to include sbuild.
-
Use sbuild-createchroot to create a chroot used by sbuild meant for building packages targeting Debian unstable main.
The chroot is saved in /srv/chroot/unstable-amd64-sbuild. It installs the packages ccache and eatmydata in the chroot in case you want to use some of the enhancements detailed below. The apt repository used is the mirror service http://deb.debian.org/debian through apt-cacher-ng which will choose a suitable local mirror automatically. This can be changed to use a URL for a different mirror of the Debian archive. You can run this command once per distribution you want, and pass # —arch=i386 to create a chroot for a different architecture (the default is your host architecture).
The command given above creates a type=directory chroot. If you are short of disc space, you can instead use the following command to create a chroot stored in a tarball at /srv/chroot/unstable-amd64-sbuild.tar.gz. This is not recommended unless you really can’t spare the disc space, because several of the enhancements below depend on using a type=directory chroot.
sudo sbuild-createchroot —make-sbuild-tarball=/srv/chroot/unstable-amd64-sbuild.tar.gz unstable `mktemp -d` http://deb.debian.org/debian
Без прав суперпользователя
Chroot требует привелегий суперпользователя, что может быть нежелательно. Однако, есть несколько способов симулировать работу chroot, используя альтернативные реализации.
PRoot
PRoot может использоваться для изменения корневого раздела и использовать без привелегий суперпользователя. Это полезно для ограничивания доступа приложений до единственного каталога или запуска программ, собранных для другой архитектуры. Однако PRoot имеет ограничения, связанные с тем, что все файлы принадлежат пользователю на основной системе. PRoot предоставляет опцию , которая может быть использована в качестве обходного пути для этих ограничений, по тому же принципу (хотя и более ограниченно), что и в fakeroot.
Fakechroot
является небольшой прослойкой, которая перехватывает системные вызовы chroot и симулирует поведение системы, на самом деле не выполняя реальных вызовов (на которые все равно нет прав). Он может использоваться вместе с для создания видимости того, что chroot запускается суперпользователем.
# fakechroot fakeroot chroot ~/my-chroot bash
Montare pseudo filesystem
/proc
Se il sistema non è interamente funzionante controllare la presenza di /proc nel sistema chroot. A priori, dalla versione di debootstrap in Debian/Wheezy è integrato il montaggio di /proc e /sys nativamente.
proc on /proc type proc (rw) sysfs on /sys sysfs kind (rw)
/dev/pts
È inoltre consigliato di fare un «bind» a /dev/pts. Questo previene messaggi di errore come Devo essere collegato ad un terminale o Impossibile accedere a ‘/dev/pts/0’: File o directory non esistente durante l’uso di screen.
In tal caso, dal sistema principale, eseguire il comando:
mount --bind /dev/pts /srv/chroot/stretch/dev/pts
Configurazioni predefinite
Generalmente il file /etc/fstab apparirà come segue:
# grep chroot /etc/fstab /dev /srv/chroot/stretch/dev auto bind 0 0 /dev/pts /srv/chroot/stretch/dev/pts auto bind 0 0 /proc /srv/chroot/stretch/proc auto bind 0
Perciò «mount» dal sistema principale sarà:
# mount | grep chroot /dev on /srv/chroot/stretch/dev -type none (rw, bind) /dev/pts on /srv/chroot/stretch/dev/pts kind none (rw, bind) /proc on /srv/chroot/stretch/proc type none (rw, bind)
Using piuparts
The use of piuparts with sbuild is another feature meant to enhance the quality of Debian packages built with sbuild. To use piuparts, edit your ~/.sbuildrc configuration file. Open ~/.sbuildrc with your favorite text editor and edit the lines with the following variables.
$run_piuparts = 1; $piuparts_opts = ;
The $run_piuparts variable will enable running piuparts after a successful build with sbuild.
The $piuparts_opts variable is an array of options to pass to piuparts. Here the options instruct piuparts to use sbuild chroot ‘/srv/chroot/unstable-amd64-sbuild’ as the chroot used in its testing of packages.
Why Install Linux on Your Android Device?
So why might you want a Linux desktop environment installed on your Android phone or tablet?
You may wish to run an app that isn’t available on Android. But in most cases, you’ll simply want to gain access to some sort of desktop environment. Maybe you have a spare Android tablet you want to revitalize, and installing Linux on it is a good way to do this.
Current Android devices have ideal hardware for a PC-like experience, and installing Linux is a great way to enable this.
Of course, you may find that the tasks you want to perform in Linux also work in Android. The only hurdle holding you back might be simultaneous Android app multitasking. Fortunately, this is a feature that many modern Android devices support on the latest OS versions.
Running Linux running on an Android phone or tablet device isn’t easy. If you’re looking for improved multitasking, try upgrading to a recent version of Android instead.
Getting and installing debootstrap
For the least pain and gnashing of teeth, please get the Ubuntu binary packages manually by downloading from the following links with the ‘wget’ command which is demonstrated below:
-
http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.7~dapper1_all.deb — If you want a dapper chroot
-
http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.7~edgy1_all.deb — If you want a edgy chroot
-
http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.7~feisty1_all.deb — If you want a feisty chroot
-
http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.7~gutsy1_all.deb — If you want a gutsy chroot
-
http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.9~hardy1_all.deb — If you want a hardy chroot (if that’s not available go to http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/ and find the newest one)
Example: Terminal session wget-ing and installing the latest hardy debootstrap:
wget http://archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_1.0.9~hardy1_all.deb sudo dpkg --install debootstrap_1.0.9~hardy1_all.deb
Note that if you are going to develop the next in-development version on the current stable release (e.g. you want a Quantal chroot on your Precise system), you will need to install debootstrap from backports. Once you’ve enabled backports (e.g. precise-backports), you’ll need to explicitly install the new debootstrap in Ubuntu versions on or after 11.04. E.g.
apt-get update apt-get install -t precise-backports debootstrap
Now you can easily build Quantal chroots.
Заполнение chroot-окружения
Теперь нужно установить систему в chroot; просто введите:
Флаг —variant задаёт тип chroot-окружения, которое нужно собрать. Опция build указывает, что нужно также установить инструменты сборки программ «из коробки», которые находятся в пакете build-essential. Узнать о доступных опциях больше можно при помощи команды:
Найдите описание –variant. Флаг —arch указывает архитектуру системы клиента. Если архитектура отличается от родительской архитектуры, нужно также использовать флаг —foreign. После этого нужно вызвать команду debootstrap во второй раз, чтобы завершить установку:
Эта команда выполняет установку, в то время как первая команда только загружает пакеты в случае архитектурных различий.
Примечание: Не забудьте флаг —foreign, если архитектура систем не совпадает.
Saucy в команде должно соответствовать имени, заданному в файле schroot.conf. Часть команды /test/ указывает целевой каталог, а URL задаёт адрес репозитория и загружает запрошенные файлы. На самом деле, формат данного файла очень похож на /etc/apt/sources.list. После этого можно просмотреть все файлы, которые были скачаны и установлены, проверив целевой каталог.
Как видите, выглядит как обыкновенная файловая система, только развёрнута она в нестандартном каталоге.
Tips and tricks
Write permissions
The path needs to be fully owned by , however files and/or subdirectories don’t have to be.
In the following example the user www-demo uses as the jail-directory:
# mkdir /srv/ssh/www/demo/public_html # chown www-demo:sftponly /srv/ssh/www/demo/public_html # chmod 755 /srv/ssh/www/demo/public_html
The user should now be able to create files/subdirectories inside this directory. See File permissions and attributes for more information.
Logging
The user will not be able to access . This can be seen by running on the process once the user connects and attempts to download a file.
Create sub directory
Create the sub-directory in the , for example:
# mkdir /usr/local/chroot/user/dev # chmod 755 /usr/local/chroot/user/dev
Now you should create socket at which will be used by openssh. You may directly bind this socket to (or in case you’re using journald) or create using /.
Bind to journald
# touch /usr/local/chroot/user/dev/log # mount --bind /run/systemd/journal/dev-log /usr/local/chroot/user/dev/log
Syslog-ng configuration
Add to a new source for the log and add the configuration, for example change the section:
source src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg"); };
to:
source src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg"); unix-dgram("/usr/local/chroot/theuser/dev/log"); };
and append:
#sftp configuration destination sftp { file("/var/log/sftp.log"); }; filter f_sftp { program("internal-sftp"); }; log { source(src); filter(f_sftp); destination(sftp); };
(Optional) If you would like to similarly log SSH messages to its own file:
#sshd configuration destination ssh { file("/var/log/ssh.log"); }; filter f_ssh { program("sshd"); }; log { source(src); filter(f_ssh); destination(ssh); };
(From )
Notes
Some missing points are covered on this external article: http://ornellas.apanela.com/dokuwiki/pub:multiarch.
From unknown Sun Apr 17 05:43:14 +0100 2005 From: Date: Sun, 17 Apr 2005 05:43:14 +0100 Subject: Using symlinks for passwd, groups, shadow, etc..? Message-ID: <20050417054314+0100@https://www.ubuntulinux.org>
Wouldn’t it be possible to use symlinks for the files that get copied into the chroot? Like /etc/hosts? Would it work with /etc/passwd and the like?
Re: You can link into, but not outof a chroot. mv /etc/hosts /chroot/etc/hosts ln -s ../chroot/etc/hosts /etc ... Using hardlinks is better.
From MichaelShigorin Sun Apr 17 13:42:38 +0100 2005 From: Michael Shigorin Date: Sun, 17 Apr 2005 13:42:38 +0100 Subject: nope Message-ID: <20050417134238+0100@https://www.ubuntulinux.org>
…but you can mount —bind them one be one.
From goofrider Thu May 12 19:26:45 +0100 2005 From: goofrider Date: Thu, 12 May 2005 19:26:45 +0100 Subject: chroot and symlinks Message-ID: <20050512192645+0100@https://www.ubuntulinux.org>
You can’t symlinks from inside the chroot to somewhere outside of it, because once you chroot into it, the new chroot will becomes , and all symlinks will be resolved relative to this new . Use mount --bind instead (though hard links should work too). —GoofRider 2005-05-12
From Sam Fri May 13 09:22:44 +0100 2005 From: Sam Date: Fri, 13 May 2005 09:22:44 +0100 Subject: mount -a Message-ID: <20050513092244+0100@www.ubuntulinux.org>
You can use $ sudo mount -a for mounting all the entries in fstab instead of mounting them one by one.
From LukaszStelmach Sun May 15 00:06:59 +0100 2005 From: Lukasz Stelmach Date: Sun, 15 May 2005 00:06:59 +0100 Subject: Using symlinks Message-ID: <20050515000659+0100@www.ubuntulinux.org>
You can make hardlink to files (but only when your chroot dir is on te same partition):
ln /etc/passwd /var/chroot/etc/
From: Elmo, 21.12.05 Does anyone know howto enable DRI from inside a 32bit chroot, ’cause if I mount —bind /dev/dri chroot/dev/dri I get the following error: «DDX driver parameter mismatch: got 848 bytes, but expected 840 bytes. libGL error: InitDriver failed» (glxinfo) I’d really like to get doom3 working on my amd64 install.
26.12.05, Elmo: I know, it should work natively, but I have problems with other games aswell, so getting dri working from a chroot would be great=)
26.12.05, Elmo: At debian-amd64 list(http://lists.debian.org/debian-amd64/2005/02/msg00807.html), around February 05, is said that it’s not possible at the moment. Got to find another way around my problem, will propably post to ubuntu forums.
10.06.06 Just a note from a person who ruined his system: After all this is done do not go and delete things from /var/chroot willy-nilly as it will delete the files from the linked directory as well. I found this out only after my entire /home directory was wiped out when I tried to free up some disk space by deleting the files from the chroot directory. Thanks to my foolishness I emptied root’s trash before I realized what I’d done. It’s been a while since my last backup so I lost everything from Documents, etc for the last year or so.
From: Murray Cumming 06.10.05: I had to do «apt-get install language-pack-en» to avoid the «Locale not supported by C library.» warnings. Even «sudo dpkg-reconfigure locales» gave a «perl: warning: Setting locale failed.» error until I did this. And that was even after I did a whole «sudo apt-get ubuntu-desktop» in the chroot.
Almost all the schroot config is unhelpful and irrelevant — Adding three lines to schroot.conf completely removes the need to copy anything from/to /etc:
run-setup-scripts=true run-exec-scripts=true type=directory
these will cause schroot itself to copy the latest versions of the required files every time, and do all required mounting to get /proc and /home working. Removes a LOT of effort and worry. And removes the risk of deleting your own home area due to stray bind mounts. — directhex, 2007-09-21
Re: This is the best method. I see there are a few things missing from these scripts, the rbind(bind) stuff, ect. We should identify what is missing and try and get setup scripts to cover these areas.
The dchroot stuff here is practically obsolete. I found that it is completely possible to create a working schroot environment that does not make an individual root. Also the default setup appears to work. I tried it out when I messed up my ubuntu server install. Now my setup is relatively safe. None of the fstab stuff is required at all. I may actually create a wiki page to help out for schroot in non-root setups.
Configuration
Setup the filesystem
Note:
- Readers may select a file access scheme on their own. For example, optionally create a subdirectory for an incoming (writable) space and/or a read-only space. This need not be done directly under — it can be accomplished on the live partition which will be mounted via a bind mount as well.
- It is also possible chrooting into directory thus skipping the usage of bind, however the desired user home directory should be owned by root:
# chown root:root /home/<username> # chmod 0755 /home/<username>
Bind mount the live filesystem to be shared to this directory. In this example, is to be used, owned by user and has octal permissions of :
# chown root:root /mnt/data/share # chmod 755 /mnt/data/share # mkdir -p /srv/ssh/jail # mount -o bind /mnt/data/share /srv/ssh/jail
Add entries to fstab to make the bind mount survive on a reboot:
/mnt/data/share /srv/ssh/jail none bind 0 0
Create an unprivileged user
Note: You do not need to create a group, it is possible to use instead of .
Create the user group:
# groupadd sftponly
Create a user that uses sftponly as main group and has shell login access denied:
# useradd -g sftponly -s /usr/bin/nologin -d /srv/ssh/jail username
Set a (complex) password to prevent error (may appear even with key authentication):
# passwd username
Configure OpenSSH
Note: You may want to use instead of as been given in the previous step.
/etc/ssh/sshd_config
Subsystem sftp /usr/lib/ssh/sftp-server Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no PasswordAuthentication no
Restart to confirm the changes.
Tip: Use the of OpenSSH on the client and server in case of error(s).
With the standard path of AuthorizedKeysFile, the SSH keys authentication will fail for chrooted-users. To fix this, append a root-owned directory on AuthorizedKeysFile to e.g. , as example:
/etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp /usr/lib/ssh/sftp-server
Create authorized_keys folder, generate a on the client, the contents of the key to (or any other preferred method) of the server and :
# mkdir /etc/ssh/authorized_keys # chown root:root /etc/ssh/authorized_keys # chmod 755 /etc/ssh/authorized_keys # echo 'ssh-rsa <key> <username@host>' >> /etc/ssh/authorized_keys/username # chmod 644 /etc/ssh/authorized_keys/username
Restart .
Управление идентификацией
$ cat ~/.ssh/config
StrictHostKeyChecking no
Парольная аутентификация
# apt install sshpass # sshpass -p '123' ssh 172.16.1.13 server# sshpass -p cisco ssh switchN server# sshpass -p cisco ssh switch1 sh int | grep line
Аутентификация с использованием ключей ssh
gate# cat /etc/ssh/sshd_config
... PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys ...
Генерация ключей
user1@client1:~$ ssh-keygen
... Enter passphrase (empty for no passphrase): password1 ...
user1@client1:~$ ls .ssh/ user1@client1:~$ chmod 755 . user1@client1:~$ chmod 700 .ssh/ user1@client1:~$ chmod 600 .ssh/authorized_keys
Распространение публичных ключей
linux$ ssh-copy-id gate freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate
вручную
user1@client1$ ssh gate "mkdir .ssh" user1@client1$ scp .ssh/id_rsa.pub gate:.ssh/authorized_keys или user1@client1$ cat .ssh/id_rsa.pub | ssh gate "cat >> .ssh/authorized_keys"
Использование ssh_agent
user1@client1$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-JaQgNr4492/agent.4492; export SSH_AUTH_SOCK; SSH_AGENT_PID=4493; export SSH_AGENT_PID; echo Agent pid 4493; user1@client1$ SSH_AUTH_SOCK=/tmp/ssh-JaQgNr4492/agent.4492; export SSH_AUTH_SOCK; user1@client1$ SSH_AGENT_PID=4493; export SSH_AGENT_PID;
или
user1@client1$ eval `ssh-agent -s`
user1@client1$ ssh-add Enter passphrase for /root/.ssh/id_rsa: ... gate# ssh-add -l ... user1@client1$ ssh gate
Аутентификация с использованием протокола GSSAPI
Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер
Debian/Ubuntu (MIT)
root@server:~# kadmin.local
kadmin.local: addprinc -randkey host/gate.corpX.un ... kadmin.local: listprincs kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un ... kadmin.local: quit
server# scp gatehost.keytab gate:
FreeBSD (Heimdal)
server# kadmin -l
kadmin> add -r host/gate.corpX.un ... kadmin> list * kadmin> ext -k gatehost.keytab host/gate.corpX.un kadmin> quit
server# scp gatehost.keytab gate:
Microsoft Active Directory
Добавляем пользователя в AD
Login: gatehost Password: Pa$$w0rd
Пароль не меняется и не устаревает
C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab C:\>setspn -L -U gatehost C:\>pscp gatehost.keytab gate:
Добавление ключа в системный keytab
Debian/Ubuntu (MIT)
root@gate:~# ktutil
ktutil: rkt /root/gatehost.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: quit root@gate:~# klist -ek /etc/krb5.keytab
FreeBSD (Heimdal)
gate# ktutil copy /root/gatehost.keytab /etc/krb5.keytab gate# touch /etc/srvtab gate# ktutil list ...
gate# cat /etc/ssh/sshd_config
... GSSAPIAuthentication yes ...
client1# cat /etc/ssh/ssh_config
... GSSAPIAuthentication yes ...
Настройка windows клиента (Centrify putty) на использование GSSAPI
Hostname: gate.corpX.un SSH->Auth Attempt "keyboard intractive": no SSH->Kerberos Attempt Kerberos Auth: yes User name portion of user principal name: yes
gate# kinit -V -k -t /etc/krb5.keytab host/gate.corpX.un@CORPX.UN user1@client1$ kinit user1@client1$ kinit -S host/gate.corpX.un@CORPX.UN или user1@client1$ kvno host/gate.corpX.un@CORPX.UN user1@client1$ ssh -vv gate.corpX.un gate# /usr/sbin/sshd -d
chroot command examples
In this example, build a mini-jail for testing purpose with bash and ls command only. First, set jail location using mkdir command: Create directories inside $J: Copy /bin/bash and /bin/ls into $J/bin/ location using cp command: Copy required libs in $J. Use ldd command to print shared library dependencies for bash: Sample outputs:
linux-vdso.so.1 => (0x00007fff8d987000) libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000032f7a00000) libdl.so.2 => /lib64/libdl.so.2 (0x00000032f6e00000) libc.so.6 => /lib64/libc.so.6 (0x00000032f7200000) /lib64/ld-linux-x86-64.so.2 (0x00000032f6a00000)
Copy libs in $J correctly from the above output: Sample outputs:
`/lib64/libtinfo.so.5' -> `/home/vivek/jail/lib64/libtinfo.so.5' `/lib64/libdl.so.2' -> `/home/vivek/jail/lib64/libdl.so.2' `/lib64/libc.so.6' -> `/home/vivek/jail/lib64/libc.so.6' `/lib64/ld-linux-x86-64.so.2' -> `/home/vivek/jail/lib64/ld-linux-x86-64.so.2'
Copy required libs in $J for ls command. Use ldd command to print shared library dependencies for ls command: Sample outputs:
linux-vdso.so.1 => (0x00007fff68dff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00000032f8a00000) librt.so.1 => /lib64/librt.so.1 (0x00000032f7a00000) libcap.so.2 => /lib64/libcap.so.2 (0x00000032fda00000) libacl.so.1 => /lib64/libacl.so.1 (0x00000032fbe00000) libc.so.6 => /lib64/libc.so.6 (0x00000032f7200000) libdl.so.2 => /lib64/libdl.so.2 (0x00000032f6e00000) /lib64/ld-linux-x86-64.so.2 (0x00000032f6a00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00000032f7600000) libattr.so.1 => /lib64/libattr.so.1 (0x00000032f9600000)
You can copy libs one-by-one or try bash shell for loop as follows:
list="$(ldd /bin/ls | egrep -o '/lib.*\.')" for i in $list; do cp -v "$i" "${J}${i}"; done |
Sample outputs:
`/lib64/libselinux.so.1' -> `/home/vivek/jail/lib64/libselinux.so.1' `/lib64/librt.so.1' -> `/home/vivek/jail/lib64/librt.so.1' `/lib64/libcap.so.2' -> `/home/vivek/jail/lib64/libcap.so.2' `/lib64/libacl.so.1' -> `/home/vivek/jail/lib64/libacl.so.1' `/lib64/libc.so.6' -> `/home/vivek/jail/lib64/libc.so.6' `/lib64/libdl.so.2' -> `/home/vivek/jail/lib64/libdl.so.2' `/lib64/ld-linux-x86-64.so.2' -> `/home/vivek/jail/lib64/ld-linux-x86-64.so.2' `/lib64/libpthread.so.0' -> `/home/vivek/jail/lib64/libpthread.so.0' `/lib64/libattr.so.1' -> `/home/vivek/jail/lib64/libattr.so.1'
Finally, chroot into your new jail: Try browsing /etc or /var: A chrooted bash and ls application is locked into a particular directory called $HOME/$J and unable to wander around the rest of the directory tree, and sees that directory as its “/” (root) directory. This is a tremendous boost to security if configured properly. I usually lock down the following applications using the same techniques:
- Apache – Red Hat / CentOS: Chroot Apache 2 Web Server
- Nginx – Linux nginx: Chroot (Jail) Setup
- Chroot Lighttpd web server on a Linux based system
- Chroot mail server.
- Chroot Bind DNS server and more.
Find out if service in chrooted jail or not
You can easily find out if Postfix mail server is chrooted or not using the following two commands:
pid=$(pidof -s master) ls -ld proc$pidroot |
Sample outputs from my Linux based server:
lrwxrwxrwx. 1 root root 0 Mar 9 11:16 /proc/8613/root -> /
The PID 8613 pointing out to / (root) i.e. the root directory for application is not changed or chrooted. This is a quick and dirty way to find out if application is chrooted or not without opening configuration files. Here is another example from chrooted nginx server:
pid=$(pidof -s master) ls -ld proc$pidroot |
Sample outputs:
lrwxrwxrwx 1 nginx nginx 0 Mar 9 11:17 /proc/4233/root -> /nginxjail
The root directory for application is changed to /nginxjail.
Когда не нужно использовать chroot?
Chroot-окружение Linux не стоит использовать в качестве средства защиты. В целом, окружения chroot могут быть использованы как дополнительный уровень безопасности, но они не достаточно изолированы, чтобы выступать в качестве полноценной защиты системы.
Конечно, chroot-окружения, создадут дополнительную работу для непривилегированного пользователя; однако их следует рассматривать как способ усиления безопасности сервера, а не как полноценную защиту, так как они способны только уменьшить количество векторов атаки, не обеспечивая полной безопасности. Для пользователей, которые нуждаются в полной изоляции, существуют боле надёжные решения (контейнеры Linux, Docker и т.п.).
Setting up a dchroot (non-root) environment
dchroot makes it possible to use your newly-built chroot even as a non-root user. Hence, you can configure your chroot environment in such a way that you can even use your existing /home as the chroot’s /home, thereby saving you some expensive moving in between homes, as well as making package building/testing a LOT more convenient.
To do this, first fix the user and root password:
sudo cp /etc/passwd /var/chroot/hardy/etc/ sudo sed 's/\(*\):*:/\1:*:/' /etc/shadow | sudo tee /var/chroot/hardy/etc/shadow sudo cp /etc/group /var/chroot/hardy/etc/ sudo cp /etc/hosts /var/chroot/hardy/etc/ # avoid sudo warnings when it tries to resolve the chroot's hostname
For a debian chroot, I also had to do:
sudo sed 's/\(*\):*:/\1:*:/' /etc/gshadow | sudo tee /var/chroot/hardy/etc/gshadow
Then enable sudo and setup your passwords for root and the first sudo user in the admin group:
sudo cp /etc/sudoers /var/chroot/hardy/etc/ sudo chroot /var/chroot/hardy/ dpkg-reconfigure passwd passwd <username of your first ubuntu user in the admin group>
Next, install the sudo package to be able to use it being in chroot:
apt-get install sudo exit
Finish things up:
sudo editor /etc/fstab
This is like the previous instructions, but different. Add these lines: (/media/cdrom is optional, of course, and you might have to create the dir in the chroot)
/home /var/chroot/hardy/home none bind 0 0 /tmp /var/chroot/hardy/tmp none bind 0 0 /media/cdrom /var/chroot/hardy/media/cdrom none bind 0 0 /dev /var/chroot/hardy/dev none bind 0 0 proc-chroot /var/chroot/hardy/proc proc defaults 0 0 devpts-chroot /var/chroot/hardy/dev/pts devpts defaults 0 0
and delete these lines from before:
/proc /var/chroot/hardy/proc none rbind 0 0 # Can just be mounted, comments? /dev /var/chroot/hardy/dev none rbind 0 0 # Good thing to do, but not secure. /sys /var/chroot/hardy/sys none rbind 0 0 # Same as proc? /tmp /var/chroot/hardy/tmp none rbind 0 0 # This opens a lot of doors, namly X sockets are here... DRI should work assuming bits match. /home /var/chroot/hardy/home none rbind 0 0 # This is optional. As are the others, but this is more so. /media /var/chroot/hardy/media none rbind 0 0 # Your USB stick. /lib/modules /var/chroot/hardy/lib/modules none rbind 0 0 # You may need to load modules?? Think binfmt_misc. /var/run/dbus/ /var/chroot/hardy/var/run/dbus/ none rbind 0 0 # Gnome likes this.
Mount them:
sudo mount -a
The default bash path includes chroot information. To make this visible:
sudo chroot /var/chroot/hardy/ echo mychroot > etc/debian_chroot exit
Set the chroot you just created in the dchroot.conf file
sudo editor /etc/dchroot.conf
Add the following to this file (if this is your first «dchroot» it will be a new, empty file; if there is more than one, the first item listed will be the default):
mychroot /var/chroot/hardy/
Now when you want to use your chroot (you may omit the -c mychroot if there’s only one, or you just want the first one in the file). The -d parameter means that your environment will be preserved, this is generally useful if you want chrooted applications to seamlessly use your X server, your session manager, etc.
dchroot -c mychroot -d
Tada! Now you can switch to and from your main and /var/chroot/, without even becoming root!
Shortcuts / Usage
you can type dchroot -d «command» and it executes that command in the chroot.
I have this script do_chroot in /usr/local/bin:
/usr/bin/dchroot -d "`echo $0 | sed 's|^.*/||'` $*"
I had trouble with quoting in the above script. This one works better for me. ~JPKotta
args="" for i in "$@" ; do args="$args '$i'" #echo $args done /usr/bin/dchroot -d -- "$0" $args
Then I create a symbolic link from that to the command I want to execute in the chroot, e.g.:
ln -s /usr/local/bin/do_chroot /usr/local/bin/firefox
which will execute firefox in the chroot environment when I launch it in my normal 64 bit environment. To launch my amd64 firefox I can type /usr/bin/firefox.
Instead if you want you can just create a script for launching the 32bit firefox e.g.:
dchroot -d "firefox"
put it in /usr/local/bin and add it to the gnome menu.
If you’re going to start a program that only works in 32bit, first type dchroot -d and you’ll be in the 32 bit environment.
Setting up your chroot with debootstrap
If you want a 32-bit chroot on amd64 add --arch i386 to this command line. If you use the chroot to build packages add --variant=buildd . Change hardy to according to your needs to dapper, edgy, feisty or leave as is for hardy chroot.
To actually install the base chroot, open a Terminal and do:
sudo debootstrap --variant=buildd --arch i386 hardy /var/chroot/hardy http://archive.ubuntu.com/ubuntu/
debootstrap will then build a HardyHeron chroot in /var/chroot/, getting the base packages in http://archive.ubuntu.com/ubuntu/, and, depending on the given additional options (in square brackets,) debootstrap will build a chroot for the given architecture and variant.
If debootstrap finishes successfully, you’ll be left with a base chroot in /var/chroot, which is not suitable for nearly anything. To actually get our chroot to work and be able to, say, grab packages from the network, do the following right after debootstrap:
sudo cp /etc/resolv.conf /var/chroot/hardy/etc/resolv.conf sudo cp /etc/apt/sources.list /var/chroot/hardy/etc/apt/ sudo editor /var/chroot/hardy/etc/apt/sources.list
If your current distribution is different than your target distribution (i.e. you use Hardy and want a Gutsy chroot), change all of the occurrences of Hardy/Gutsy/Feisty/Edgy etc. to your target distribution.
sudo chroot /var/chroot/hardy apt-get update apt-get --no-install-recommends install wget debconf devscripts gnupg nano #For package-building apt-get update #clean the gpg error message apt-get install locales dialog #If you don't talk en_US locale-gen en_GB.UTF-8 # or your preferred locale tzselect; TZ='Continent/Country'; export TZ #Configure and use our local time instead of UTC; save in .profile exit
If you dont want the locale warnings in your chroot, add this to your ~/.bashrc file.
export LANG=C
You can stop here if you want a simple chroot that you use as root (sudo chroot /var/chroot). If you want to use your chroot as another user and have access to your normal /home and other directories inside the chroot, continue.
Note for Debian chroot on Ubuntu
If you want to build a Debian chroot on an Ubuntu system you need to point it at a Debian archive:
sudo debootstrap --arch i386 sid sid/ http://ftp.uk.debian.org/debian/
A note about chrooting apps on a Linux or Unix-like systems
Should you use the chroot feature all the time? In the above example, the program is fairly simple but you may end up with several different kinds of problems such as:
- Missing libs in jail can result into broken jail.
- Complex program are difficult to chroot. I suggest you either try real jail such as provided by FreeBSD or use virtualization soultuon such as KVM on Linux.
- App running in jail can not run any other programs, can not alter any files, and can not assume another user’s identity. Loosen these restrictions, you have lessened your security, chroot or no chroot.
Also note that:
- Do not forgot, to updated chrooted apps when you upgrade apps locally.
- Not every app can or should be chrooted.
- Any app which has to assume root privileges to operate is pointless to attempt to chroot, as root can generally escape a chroot.
- Chroot is not a silver bullet. Learn how to secure and harden rest of the system too.
Apt package caching
To avoid downloading the same packages over and over again when building a package multiple times in a row, install the apt-cacher-ng package and use http://localhost:3142/debian as a proxy.
For an existing sbuild chroot, you can update your sources.list as follows:
sudo sbuild-shell source:unstable-$arch-sbuild echo 'acquire::http::proxy "http://localhost:3142/debian";' >> /etc/apt/apt.conf.d/proxy
For new schroot, you can use this:
sudo apt install apt-cacher-ng sudo sbuild-createchroot --include=eatmydata,ccache,gnupg unstable /srv/chroot/unstable-amd64-sbuild http://127.0.0.1:3142/deb.debian.org/debian
See also AptCacherNg for more details on how to configure the proxy.
Unknown key B4C86482705A2CE1
Debian’s package system has a chronic problem of missing signing keys, and inability to update the system once installed (if it installs in the first place). You will experience the goodness with errors like Release signed by unknown key (key id B4C86482705A2CE1) and failures in Apt. If you find yourself fighting the Debian package system, you should (1) know you are not alone, and (2) visit bug reports like and .
According to the bug, you are supposed to be able to fix it with one of the following. We know for certain the suggestions do not work under Debian Hurd (i386). We don’t expect it to work in other places either, like Sparc64.
apt-get install --reinstall debian-archive-keyring
Or
apt-get install --reinstall debian-ports-archive-keyring
Or
dpkg --force-depends -P debian-archive-keyring dpkg -i /var/cache/apt/archives/debian-archive-keyring*
Or
cd / apt-get update
Or
cd ~ apt-get update
Running Apt with --no-check-gpg and --allow-unauthenticated does not work either.