11 January 2013

316. Briefly: Automated chroot/sandbox creation

EDIT:
There are plenty of reasons to use chroots, but security is not one of them.

For a practical how-to see e.g
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

For a bit of yelling, see
http://yarchive.net/comp/linux/chroot.html

chroot will improve your security by creating an obstacle which may filter out some would-be crackers, but it will not make it secure by any standard. (in spite of what I may have written elsewhere on this blog).

Original post:
I've been using chroot to compile and test stuff so much lately that I figure it was time to automate the process.

Before creating your chroot you'll need a few packages:
sudo apt-get install debootstrap coreutils x11-xserver-utils


The scripts
makechroot.sh
mkdir $HOME/tmp/jail/$1 -p sudo debootstrap --arch amd64 testing $HOME/tmp/jail/$1 http://ftp.au.debian.org/debian/ sudo cp setupchroot.sh $HOME/tmp/jail/$1/

setupchroot.sh
rm /etc/apt/sources.list echo 'deb http://ftp.au.debian.org/debian/ wheezy main contrib non-free' >> /etc/apt/sources.list apt-get update apt-get install locales sudo vim echo 'export LC_ALL="C"'>>/etc/bash.bashrc echo 'export LANG="C"'>>/etc/bash.bashrc echo 'export DISPLAY=:0.0' >> /etc/bash.bashrc echo '127.0.0.1 beryllium >> /etc/hosts' source /etc/bash.bashrc adduser sandbox usermod -g sudo sandbox echo 'Defaults !tty_tickets' >> /etc/sudoers

launchchroot.sh
xhost + sudo mount -o bind /proc $1/proc sudo cp /etc/resolv.conf $1/etc/resolv.conf sudo chroot $HOME/tmp/jail/$1

How to use
To set up the chroot:
sh makechroot.sh mynewchroot
sudo chroot mynewchroot
root@beryllium:/# sh setupchroot.sh

To use the chroot:
sh launchchroot.sh mynewchroot

Once you're done with the chroot and logged out, do
sudo umount $HOME/tmp/jail/mynewchroot/proc

to unmount the /proc -- you can now delete, copy etc. the directory structure of you chroot.

2 comments:

  1. http://wiki.debian.org/Multistrap states "Multistrap is a tool that does essentially the same job as Debootstrap, using an entirely different method, and then extends the functionality to support automated creation of complete, bootable, root filesystems."

    So why not?

    Andrey

    ReplyDelete
    Replies
    1. The main reason is that I know about debootstrap and I know how to use it.

      It probably doesn't matter much whether you use multistrap or debootstrap, but the syntax of debootstrap seems more compact -- a single line instead of a small config file.

      Delete