Difference between revisions of "Chroot"

From Alpine Linux
Jump to: navigation, search
(Create page)
 
(Start editing)
Line 1: Line 1:
[[Category:Installation]]
+
{{Draft}}
 +
 
 +
Chroot into the newly-created Arch system. I use the following script to do this:
 +
 
 +
{{Cat|/usr/local/bin/start-chroot|<nowiki>
 +
#!/bin/sh -e
 +
user=`whoami`
 +
if [ "$user" != "root" ]; then
 +
  echo "This script needs root access" >&2
 +
  exit 1
 +
fi
 +
if ! [ -d "$1" ]; then
 +
  echo "Usage: $0 <chroot directory>" >&2
 +
  exit 1
 +
fi
 +
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then
 +
  echo "Warning: can't suid/sgid inside chroot" >&2
 +
fi
 +
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then
 +
  echo "Warning: can't chroot inside chroot" >&2
 +
fi
 +
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then
 +
  echo "Warning: can't mknod inside chroot" >&2
 +
fi
 +
if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then
 +
  echo "Warning: can't mount inside chroot" >&2
 +
fi
 +
cd "$1"
 +
shift
 +
cp -L /etc/resolv.conf ./etc/ || true
 +
mount -t proc proc ./proc
 +
mount -t sysfs sys ./sys
 +
mount -o bind /dev ./dev
 +
# next line is said to be important for pacman's signature check
 +
mount -o bind /dev/pts ./dev/pts
 +
case $1 in
 +
  -l) shift;;
 +
  -l*) one=${1#-l}; shift; set -- -$one "$@";;
 +
esac
 +
chroot . /bin/sh -l "$@"
 +
umount ./dev/pts
 +
umount ./dev ./sys ./proc
 +
</nowiki>}}
 +
 
 +
At least when setting the Arch system up, you'll want to disable Alpine's grsecurity prohibition against suid/sgid:
 +
 
 +
{{Cmd|sysctl -w kernel.grsecurity.chroot_deny_chmod{{=}}0}}
 +
 
 +
For more info, see:
 +
 
 +
* http://en.wikibooks.org/wiki/Grsecurity
 +
* http://www.gentoo.org/proj/en/hardened/grsecurity.xml

Revision as of 15:25, 20 January 2015

Underconstruction clock icon gray.svg
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Dubiousjim on 20 Jan 2015.)

Chroot into the newly-created Arch system. I use the following script to do this:

Contents of /usr/local/bin/start-chroot

#!/bin/sh -e user=`whoami` if [ "$user" != "root" ]; then echo "This script needs root access" >&2 exit 1 fi if ! [ -d "$1" ]; then echo "Usage: $0 <chroot directory>" >&2 exit 1 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chmod` ]; then echo "Warning: can't suid/sgid inside chroot" >&2 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_chroot` ]; then echo "Warning: can't chroot inside chroot" >&2 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mknod` ]; then echo "Warning: can't mknod inside chroot" >&2 fi if [ x1 = x`sysctl -ne kernel.grsecurity.chroot_deny_mount` ]; then echo "Warning: can't mount inside chroot" >&2 fi cd "$1" shift cp -L /etc/resolv.conf ./etc/ || true mount -t proc proc ./proc mount -t sysfs sys ./sys mount -o bind /dev ./dev # next line is said to be important for pacman's signature check mount -o bind /dev/pts ./dev/pts case $1 in -l) shift;; -l*) one=${1#-l}; shift; set -- -$one "$@";; esac chroot . /bin/sh -l "$@" umount ./dev/pts umount ./dev ./sys ./proc

At least when setting the Arch system up, you'll want to disable Alpine's grsecurity prohibition against suid/sgid:

sysctl -w kernel.grsecurity.chroot_deny_chmod=0

For more info, see: