Chroot: Difference between revisions

From Alpine Linux
(Create page)
 
(Start editing)
Line 1: Line 1:
[[Category:Installation]]
{{Draft}}
 
Chroot into the newly-created Arch system. I use the following script to do this:
 
{{Cat|/usr/local/bin/start-chroot|<nowiki>
#!/bin/sh -e
user=`whoami`
if [ "$user" != "root" ]; then
  echo "This script needs root access" >&2
  exit 1
fi
if ! [ -d "$1" ]; then
  echo "Usage: $0 <chroot directory>" >&2
  exit 1
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then
  echo "Warning: can't suid/sgid inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then
  echo "Warning: can't chroot inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then
  echo "Warning: can't mknod inside chroot" >&2
fi
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then
  echo "Warning: can't mount inside chroot" >&2
fi
cd "$1"
shift
cp -L /etc/resolv.conf ./etc/ || true
mount -t proc proc ./proc
mount -t sysfs sys ./sys
mount -o bind /dev ./dev
# next line is said to be important for pacman's signature check
mount -o bind /dev/pts ./dev/pts
case $1 in
  -l) shift;;
  -l*) one=${1#-l}; shift; set -- -$one "$@";;
esac
chroot . /bin/sh -l "$@"
umount ./dev/pts
umount ./dev ./sys ./proc
</nowiki>}}
 
At least when setting the Arch system up, you'll want to disable Alpine's grsecurity prohibition against suid/sgid:
 
{{Cmd|sysctl -w kernel.grsecurity.chroot_deny_chmod{{=}}0}}
 
For more info, see:
 
* http://en.wikibooks.org/wiki/Grsecurity
* http://www.gentoo.org/proj/en/hardened/grsecurity.xml

Revision as of 15:25, 20 January 2015

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Dubiousjim on 20 Jan 2015.)

Chroot into the newly-created Arch system. I use the following script to do this:

Contents of /usr/local/bin/start-chroot

#!/bin/sh -e user=`whoami` if [ "$user" != "root" ]; then echo "This script needs root access" >&2 exit 1 fi if ! [ -d "$1" ]; then echo "Usage: $0 <chroot directory>" >&2 exit 1 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then echo "Warning: can't suid/sgid inside chroot" >&2 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then echo "Warning: can't chroot inside chroot" >&2 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then echo "Warning: can't mknod inside chroot" >&2 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then echo "Warning: can't mount inside chroot" >&2 fi cd "$1" shift cp -L /etc/resolv.conf ./etc/ || true mount -t proc proc ./proc mount -t sysfs sys ./sys mount -o bind /dev ./dev # next line is said to be important for pacman's signature check mount -o bind /dev/pts ./dev/pts case $1 in -l) shift;; -l*) one=${1#-l}; shift; set -- -$one "$@";; esac chroot . /bin/sh -l "$@" umount ./dev/pts umount ./dev ./sys ./proc

At least when setting the Arch system up, you'll want to disable Alpine's grsecurity prohibition against suid/sgid:

sysctl -w kernel.grsecurity.chroot_deny_chmod=0

For more info, see: