Skip to main content

chroot without root

Project description

Chroot without root priviledges.

uchroot.py uses linux user namespaces and mount namespaces to create chroot jails without root. It’s not entirely a no-root solution because it requires the newuidmap and newgidmap set-uid-root helper functions (on ubuntu, installed with the uidmap package).

This requirement is not really necessary if you only need to enter the chroot jail with a single user id mapped.

Requirements

Requires a linux built with user namespaces enabled (note that red hat does not by default) and the newuidmap setuid helper programs (install the newuidmap ubuntu package).

To check if your kernel is built with user namespaces, on ubuntu:

~$ cat /boot/config-`uname -r` | grep CONFIG_USER_NS
CONFIG_USER_NS=y

On other linuxes, perhaps try:

~$ zcat /proc/config.gz | grep CONFIG_USER_NS

Usage

usage: uchroot [-h] [-v] [-l {debug,info,warning,error}] [-s] [-c CONFIG]
                [rootfs]

Chroot without root priviledges This is a pretty simple process spawner that
automates the construction of user and mount namespaces in order to create
chroot jails without root. It's not entirely a no-root solution because it
requires the newuidmap and newgidmap set-uid-root helper functions (on ubuntu,
installed with the uidmap package). This requirement is not necessary if you
only need to enter the chroot jail with a single user id mapped.

positional arguments:
rootfs                path of the rootfs to enter

optional arguments:
-h, --help            show this help message and exit
-v, --version         show program's version number and exit
-l {debug,info,warning,error}, --log-level {debug,info,warning,error}
                        Set the verbosity of messages
-s, --subprocess      use subprocess instead of exec
-c CONFIG, --config CONFIG
                        Path to config file
--argv [ARGV [ARGV ...]]
--cwd CWD
--binds [BINDS [BINDS ...]]
--gid-range [GID_RANGE [GID_RANGE ...]]
--exbin EXBIN
--qemu QEMU
--uid-range [UID_RANGE [UID_RANGE ...]]
--identity [IDENTITY [IDENTITY ...]]

Advanced configurations can be specified with a configuration file in python format. Command line arguments override options specified in a configuration file:

# The directory to chroot into
rootfs = "/tmp/rootfs"

# List of paths to bind into the new root directory. These binds are
# done inside a mount namespace and will not be reflected outside
# the process tree started by the script.
binds = [
    "/dev/urandom",
    "/etc/resolv.conf",
]

# If specified, indicates the path to a qemu instance that should be bound
# into the mount namespace of the jail
qemu = "/usr/bin/qemu-aarch64-static"

# After entering the jail, assume this [uid, gid]. [0, 0] for root.
identity = (0, 0)

# uids in the namespace starting at 1 are mapped to uids outside the
# namespace starting with this value and up to this many ids. Note that
# the uid range outside the namespace must lie within the current users
# allowed subordinate uids. See (or modify) /etc/subid for the range
# available to your user.
uid_range = (100000, 65536)

# Same as uid_map above, but for gids.
gid_range = (100000, 65536)

# Set the current working directory to this inside the jail
cwd = "/"

# The following variables specify what to execute after chrooting into the jail
# -----------------------------------------------------------------------------

# The path of the program to execute
exbin = "/bin/bash"

# The argument vector to expose as argv,argc to the called process
argv = ["bash"],

# The environment of the called process. Use an empty dictionary for an
# empty environment, or None to use the host environment.
env = {
    # Any environment variable encountered as a list will be join()ed using
    # path separator (':')
    "PATH": [
        # "/usr/local/sbin",
        # "/usr/local/bin",
        "/usr/sbin",
        "/usr/bin",
        "/sbin",
        "/bin"
    ],
    "DEBIAN_FRONTEND": "noninteractive",
    "DEBCONF_NONINTERACTIVE_SEEN": "true",
    "LC_ALL": "C",
    "LANGUAGE": "C",
    "LANG": "C"
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uchroot-0.1.4.tar.gz (12.0 kB view details)

Uploaded Source

Built Distribution

uchroot-0.1.4-py3-none-any.whl (25.9 kB view details)

Uploaded Python 3

File details

Details for the file uchroot-0.1.4.tar.gz.

File metadata

  • Download URL: uchroot-0.1.4.tar.gz
  • Upload date:
  • Size: 12.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.32.1 CPython/3.5.2

File hashes

Hashes for uchroot-0.1.4.tar.gz
Algorithm Hash digest
SHA256 f0baf2769d71d4c006f1ed6e4254ec117ed9c6f5af75650a7fff213ff96116b6
MD5 82bce23ca14bed02a83345d49e33f3e7
BLAKE2b-256 00c046398943d3a12cfc65b549d0092eee6e4a8d64da3e462527753ffb9b4733

See more details on using hashes here.

Provenance

File details

Details for the file uchroot-0.1.4-py3-none-any.whl.

File metadata

  • Download URL: uchroot-0.1.4-py3-none-any.whl
  • Upload date:
  • Size: 25.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.32.1 CPython/3.5.2

File hashes

Hashes for uchroot-0.1.4-py3-none-any.whl
Algorithm Hash digest
SHA256 d10798def1033a9cac7507680fe514a0f248895d3836f3d38f64fb03af311b6d
MD5 0da2504b852b34337bb2940702c35b0b
BLAKE2b-256 4588296bb8dcb6a8d4f1e423f30186dcaf2b5294ce017af467b7baf3dbb96cdc

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page