Chroot: Difference between revisions
Dubiousjim (talk | contribs) (Create page) |
Dubiousjim (talk | contribs) (Start editing) |
||
| Line 1: | Line 1: | ||
[[ | {{Draft}} | ||
Chroot into the newly-created Arch system. I use the following script to do this: | |||
{{Cat|/usr/local/bin/start-chroot|<nowiki> | |||
#!/bin/sh -e | |||
user=`whoami` | |||
if [ "$user" != "root" ]; then | |||
echo "This script needs root access" >&2 | |||
exit 1 | |||
fi | |||
if ! [ -d "$1" ]; then | |||
echo "Usage: $0 <chroot directory>" >&2 | |||
exit 1 | |||
fi | |||
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then | |||
echo "Warning: can't suid/sgid inside chroot" >&2 | |||
fi | |||
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then | |||
echo "Warning: can't chroot inside chroot" >&2 | |||
fi | |||
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then | |||
echo "Warning: can't mknod inside chroot" >&2 | |||
fi | |||
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then | |||
echo "Warning: can't mount inside chroot" >&2 | |||
fi | |||
cd "$1" | |||
shift | |||
cp -L /etc/resolv.conf ./etc/ || true | |||
mount -t proc proc ./proc | |||
mount -t sysfs sys ./sys | |||
mount -o bind /dev ./dev | |||
# next line is said to be important for pacman's signature check | |||
mount -o bind /dev/pts ./dev/pts | |||
case $1 in | |||
-l) shift;; | |||
-l*) one=${1#-l}; shift; set -- -$one "$@";; | |||
esac | |||
chroot . /bin/sh -l "$@" | |||
umount ./dev/pts | |||
umount ./dev ./sys ./proc | |||
</nowiki>}} | |||
At least when setting the Arch system up, you'll want to disable Alpine's grsecurity prohibition against suid/sgid: | |||
{{Cmd|sysctl -w kernel.grsecurity.chroot_deny_chmod{{=}}0}} | |||
For more info, see: | |||
* http://en.wikibooks.org/wiki/Grsecurity | |||
* http://www.gentoo.org/proj/en/hardened/grsecurity.xml | |||
Revision as of 15:25, 20 January 2015
 Do not follow instructions here until this notice is removed. |
Chroot into the newly-created Arch system. I use the following script to do this:
Contents of /usr/local/bin/start-chroot
#!/bin/sh -e
user=`whoami`
if [ "$user" != "root" ]; then
echo "This script needs root access" >&2
exit 1
fi
if ! [ -d "$1" ]; then
echo "Usage: $0 <chroot directory>" >&2
exit 1
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then
echo "Warning: can't suid/sgid inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then
echo "Warning: can't chroot inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then
echo "Warning: can't mknod inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then
echo "Warning: can't mount inside chroot" >&2
fi
cd "$1"
shift
cp -L /etc/resolv.conf ./etc/ || true
mount -t proc proc ./proc
mount -t sysfs sys ./sys
mount -o bind /dev ./dev
# next line is said to be important for pacman's signature check
mount -o bind /dev/pts ./dev/pts
case $1 in
-l) shift;;
-l*) one=${1#-l}; shift; set -- -$one "$@";;
esac
chroot . /bin/sh -l "$@"
umount ./dev/pts
umount ./dev ./sys ./proc
At least when setting the Arch system up, you'll want to disable Alpine's grsecurity prohibition against suid/sgid:
sysctl -w kernel.grsecurity.chroot_deny_chmod=0
For more info, see: