{{tag>Brouillon Debian Linux Sécurité Chroot}} # Chroot Linux Voir : * https://wiki.debian.org/fr/DontBreakDebian * https://wiki.debian.org/fr/Chroot * https://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.fr.html * http://www.tldp.org/LDP/lfs/LFS-BOOK-6.1.1-HTML/chapter06/devices.html * https://wiki.archlinux.org/index.php/change_root * http://doc.ubuntu-fr.org/tutoriel/comment_restaurer_grub * http://proot.me/ * http://dl.packetstormsecurity.net/papers/general/chroot_sshd_linux.pdf * https://www.howtoforge.com/chroot_ssh_sftp_debian_etch * http://www.kegel.com/crosstool/current/doc/chroot-login-howto.html Chroot Infinite BusyBox with systemd * http://www.linuxjournal.com/content/infinite-busybox-systemd * switch_root libpam-chroot: /lib/security/pam_chroot.so * https://www.debian.org/doc/manuals/securing-debian-manual/sec-services.en.html#ssh-chroot * http://singe.za.net/blog/archives/378-Linux-SSH-Jail-with-pam_chroot.html Voir fakeroot et consorts * fakeroot * fakeroot-ng * proot * become-root * rootlesskit (Linux-native "fake root" for rootless containers) and yet slow): Voir aussi : * pivot_root & switch_root * [Debootstrap](https://wiki.debian.org/fr/Debootstrap) * Docker * bwrap * [Firejail](https://wiki.archlinux.org/title/firejail) * ex : ''firejail --dns=8.8.8.8 firefox'' * Procenv ''chrootont.sh'' ~~~bash CHROOTDIR=/home/chroot mkdir ${CHROOTDIR} mkdir ${CHROOTDIR}/{dev,dev/pts,sys,proc,run,etc,bin,lib,lib64,usr,var,var/run,/var/log,var/lib,/etc/init.d,home,tmp,root} mount -t sysfs /sys ${CHROOTDIR}/sys mount -t proc proc ${CHROOTDIR}/proc mount -n -t tmpfs none ${CHROOTDIR}/dev mkdir ${CHROOTDIR}/dev/pts mkdir ${CHROOTDIR}/dev/shm mount -vt devpts -o gid=4,mode=620 none ${CHROOTDIR}/dev/pts mount -vt tmpfs none ${CHROOTDIR}/dev/shm mknod -m 622 ${CHROOTDIR}/dev/console c 5 1 mknod -m 666 ${CHROOTDIR}/dev/null c 1 3 mknod -m 666 ${CHROOTDIR}/dev/zero c 1 5 mknod -m 666 ${CHROOTDIR}/dev/ptmx c 5 2 mknod -m 666 ${CHROOTDIR}/dev/tty c 5 0 mknod -m 444 ${CHROOTDIR}/dev/random c 1 8 mknod -m 444 ${CHROOTDIR}/dev/urandom c 1 9 chown root:tty ${CHROOTDIR}/dev/{console,ptmx,tty} #mknod -m 600 ${CHROOTDIR}/dev/rtc c 254 0 cp -p /etc/hosts /etc/hostname /etc/resolv.conf /etc/nsswitch.conf /etc/host.conf /etc/gai.conf /etc/profile /etc/environment ${CHROOTDIR}/etc/ touch ${CHROOTDIR}/etc/fstab mkdir ${CHROOTDIR}/etc/network cp -p /etc/network/interfaces ${CHROOTDIR}/etc/network mkdir ${CHROOTDIR}/etc/default/ cp -p /etc/default/rsyslog ${CHROOTDIR}/etc/default/ cp -p /etc/default/ssh ${CHROOTDIR}/etc/default/ egrep "^root:|^jibe:^sshd:" /etc/passwd > ${CHROOTDIR}/etc/passwd chroot ${CHROOTDIR} /bin/bash #mount -vt devpts -o gid=4,mode=620 none /dev/pts #mount -vt tmpfs none /dev/shm chroot ${CHROOTDIR} /bin/bash exelist='ls mount ps bash dmesg vim tail' ~~~ ## Exemple avec bash ~~~bash ldd /bin/bash mkdir ${CHROOTDIR}/lib/x86_64-linux-gnu/ -p cp -p /lib/x86_64-linux-gnu/libncurses.so.5 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libtinfo.so.5 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libdl.so.2 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib/x86_64-linux-gnu/libc.so.6 ${CHROOTDIR}/lib/x86_64-linux-gnu/ cp -p /lib64/ld-linux-x86-64.so.2 ${CHROOTDIR}/lib64/ cp -p /bin/bash ${CHROOTDIR}/bin/ # Authentification cp -a /etc/pam.* /home/chroot/etc/ cp -a /etc/security /home/chroot/etc/ cp -p /etc/login.defs /home/chroot/etc/ cp -p /etc/securetty /home/chroot/etc/ cp -p /lib/x86_64-linux-gnu/libnss_files.so.2 /home/chroot/lib/x86_64-linux-gnu/libnss_files.so.2 cp -a /etc/rsyslog.* /home/chroot/etc/ cp -p /etc/init.d/rsyslog /home/chroot/etc/init.d/ mkdir /home/chroot/usr/lib cp -a /usr/lib/rsyslog /home/chroot/usr/lib/ mkdir -p /var/spool/rsyslog cp -p /usr/sbin/sshd /home/chroot/usr/sbin/ cp -a /etc/ssh/ /home/chroot/etc/ # Locale cp -a /usr/lib/locale /home/chroot/usr/lib/ #cp -a /usr/share/zoneinfo /home/chroot/usr/share/ ~~~ Pour top, atop ~~~ 'xterm': unknown terminal type ~~~ ~~~bash cp -a /lib/terminfo /home/chroot/lib/ touch ${CHROOTDIR}/var/log/wtmp touch ${CHROOTDIR}/var/log/auth.log touch ${CHROOTDIR}/var/log/messages ${CHROOTDIR}/var/log/syslog ${CHROOTDIR}/var/log/kern.log ${CHROOTDIR}/var/log/daemon.log ${CHROOTDIR}/var/log/lastlog cp -r /etc/skel /home/chroot/home/jibe touch /home/chroot/home/jibe/.Xauthority chown jibe: -R /home/chroot/home/jibe chroot ${CHROOTDIR} chmod 1777 /home/chroot/tmp #mkdir -p /var/cache/apt/archives/ cp -p /etc/init.d/ssh /home/chroot/etc/init.d/ #Pour les script init (services) cp -a /lib/lsb /home/chroot/lib/ ~~~ Truc ? ''/etc/passwd'' ~~~ chroot:x:1010:1015:,,,:/home/chroot:/usr/local/bin/chrootshell ~~~ ''/usr/local/bin/chrootshell'' ~~~bash #! /bin/bash #exec -c /usr/sbin/chroot /home/$USER /bin/bash #sudo /usr/sbin/chroot /home/$USER /bin/bash sudo /usr/sbin/chroot /home/$USER /bin/bash -c "su - jibe" ~~~ http://smhteam.info/wiki/index.linux.php5?wiki=ChrooterUnUtilisateur ~~~ chroot ALL=(root) NOPASSWD: /usr/sbin/chroot ~~~ **ATTENTION** Grosse faille de sécurité que je n'explique pas (peut-être lié à PAM ou systemd) : Si l'utilisateur ouvre une session graphique avec le compte chrooté, chaque appli graphique sort du chroot. Malgrès mon noyau patché avec Grsecurity mknod -m 666 /home/chroot/dev/tty8 c 4 8 Dans le chroot ~~~bash /sbin/getty 38400 tty8 ~~~ ~~~bash umount ${CHROOTDIR}/{dev/pts,dev,sys,proc,run} umount ${CHROOTDIR} rmdir ${CHROOTDIR}/{dev/pts,dev,sys,proc,run} rmdir ${CHROOTDIR} umount /chroot/* umount /chroot/* ~~~ ### Comment savoir si je suis dans un chroot ? Les numeros d'inodes peuvent être un indice ~~~bash ls -id / ~~~ Voir http://stackoverflow.com/questions/75182/detecting-a-chroot-jail-from-within ## Firejail Voir : https://firejail.wordpress.com/documentation-2/firefox-guide/ ~~~bash firefail --seccomp --debug firefox ~~~ ## Mount kernel virtual file systems Source : https://git.yoctoproject.org/poky/plain/meta/recipes-core/initscripts/initscripts-1.0/sysfs.sh ''sysfs.sh'' ~~~bash #!/bin/sh # # SPDX-License-Identifier: GPL-2.0-only # ### BEGIN INIT INFO # Provides: mountvirtfs # Required-Start: # Required-Stop: # Default-Start: S # Default-Stop: # Short-Description: Mount kernel virtual file systems. # Description: Mount initial set of virtual filesystems the kernel # provides and that are required by everything. ### END INIT INFO if [ -e /proc ] && ! [ -e /proc/mounts ]; then mount -t proc proc /proc fi if [ -e /sys ] && grep -q sysfs /proc/filesystems && ! [ -e /sys/class ]; then mount -t sysfs sysfs /sys fi if [ -e /sys/kernel/debug ] && grep -q debugfs /proc/filesystems; then mount -t debugfs debugfs /sys/kernel/debug fi if [ -e /sys/kernel/config ] && grep -q configfs /proc/filesystems; then mount -t configfs configfs /sys/kernel/config fi if [ -e /sys/firmware/efi/efivars ] && grep -q efivarfs /proc/filesystems; then mount -t efivarfs efivarfs /sys/firmware/efi/efivars fi if ! [ -e /dev/zero ] && [ -e /dev ] && grep -q devtmpfs /proc/filesystems; then mount -n -t devtmpfs devtmpfs /dev fi ~~~ ## Pb /etc/machine-id: No such file or directory ~~~ -bash: /etc/machine-id: No such file or directory -bash: /proc/sys/kernel/random/boot_id: No such file or directory -bash: /proc/sys/kernel/random/uuid: No such file or directory ~~~ ## Autres ~~~bash chroot --userspec=nobody ~~~