Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to run a command in a chroot jail not as root and without sudo?

Tags:

I'm setting up a minimal chroot and want to avoid having sudo or su in it but still run my processes as non-root. This is a bit of a trick as running chroot requiers root. I could write a program that does this that would look something like:

uid = LookupUser(args[username])  // no /etc/passwd in jail chroot(args[newroot]) cd("/") setuids(uid) execve(args[exe:]) 

Is that my best bet or is there a standard tool that does that for me?


I rolled my own here:

like image 726
BCS Avatar asked Sep 17 '10 16:09

BCS


People also ask

Can you access anything outside of the chroot as a normal user as root?

Yes, that does indeed make it possible for a non-root user to use chroot. The root user ID in that namespace is mapped to the non-root user ID outside of that namespace, and vice versa, which is why the system shows files owned by the current user as owned by user ID 0.

How do I run as non root user?

You can try to run Docker Containers as a Non Root User by adding Users to the Docker Group. If there is no Docker group, you can always create one. You can create a Docker Group using the following command. After you have created the Docker Group, you can now add Non Root Users using the following command.

Do you need to be root to chroot?

chroot can only be used by root him/her/itself. And no, there won't be any other way without compromising security. Only the root user can perform a chroot.


2 Answers

If you invoke chroot from root, the chroot option --userspec=USER:GROUP will run the command under the non-root UID/GID.

By the way, the option '--userspec' is first introduced in coreutils-7.5 according to a git repository git://git.sv.gnu.org/coreutils.

like image 110
kamae Avatar answered Sep 20 '22 11:09

kamae


fakechroot, in combination with fakeroot, will allow you to do this. They'll make all programs that are running act as if they're being run in a chroot as root but they'll actually be running as you.

See also fakechroot's man page.

like image 44
Eric Warmenhoven Avatar answered Sep 18 '22 11:09

Eric Warmenhoven