Issue:
Sometimes we get strange dependency conflicts from research software that is used for research by some of our staff. Due to lack of infinite resources we share high powered machines. To get around this the easiest way is to give everyone their own copy of a machine and let them do as they need with it.Dependencies:
- debootstrap (Create jail)
- fakeroot (give the ability to run
- fakechroot (give the ability to normal users to use a chroot)
The setup (As due to requiring privlige to run debootstrap):
Setting up the jail for the user
- export username=nonprivuser
- sudo debootstrap --variant=buildd trusty /home/$username/trustychroot http://archive.ubuntu.com/ubuntu/
- sudo cp /etc/resolv.conf /home/$username/trustychroot/etc/resolv.conf
- sudo cp /etc/apt/sources.list /home/$username/trustychroot/etc/apt/
- (This is not usually suggested due to root concerns but that is a non issue if the user already is an admin on the machine and have fakeroot for their whole machine, should you want to do something differently please do not run this!) sudo chown -R $username:$username $username
Running the jail
This should be done by the normal user:
physical host$ fakeroot fakechroot chroot ~/trustychroot /bin/bash
Making things a bit easier to launch
I am lazy and would prefer to type a command that is a bit more fun than fakeroot fakechroot chroot ~/trustychroot /bin/bash.I have filled /usr/local/bin/mytrustychroot with a small shell script to make this easier:
#!/bin/sh
/usr/bin/fakeroot /usr/bin/fakechroot /usr/sbin/chroot ~/trustychroot /bin/bash
Auditing
Switch to use and run sleep in the chroot as root, trying to modify the routing table does not work:
$ mytrustyjail
chroot # ip route add 1.1.1.1/32 via 10.10.13.2
RTNETLINK answers: Operation not permitted
Running sleep and logging in as another user on the host system does not work:
RTNETLINK answers: Operation not permitted
chroot # sleep 600
physical host$ sudo ps auxww | grep sleep
nonprivuser 7155 0.0 0.0 12456 696 pts/1 S+ 14:17 0:00 sleep 300
Try to break out of a jail via symlink:
physical host$ ln -s ../../../../a trustychroot/etc/test1physical host$ ln -s ../../../a trustychroot/etc/test2
physical host$ ln -s ../../a trustychroot/etc/test3
chroot # echo "test1" > test1
bash: test1: Permission denied
chroot # echo "test2" > test2
bash: test2: Permission denied
chroot # echo "test3" > test3
We were able to write outside of the chroot by creating a symlink outside of the chroot but as we are using fakeroot and the process is running in the context of nonprivuser this is not an issue as we are able to write anywhere nonprivuser has permission to write to, IN YOUR ENVIRONMENT THIS MAY BE DIFFERENT!
Try to install something like zsh:
chroot # apt-get install zsh
... it works ...
chroot #
Concerns for the long term
Updates
These are going to be running one application with custom code that our users are writing as well as some research packages that they want specific versions of, no services.Escaping jail?
Is it fine for someone to jump out to the host system with root privlege should you chown the jail to them? This becomes more of a talk to the person problem and if that doesn't work, HR problem for me should something happen. Many of the people on this machine currently have sudo access so there is not much difference for me but running as a standard user is a much better idea.An easier way for public facing things?
Freebsd happens to have a very nice jail system using ezjail, it's something like this and not have to worry about things that I have not tested yet:ezjail-admin create -x jail1 'em0|10.0.0.101'
ezjail-admin console jail1
# INSTALL MANAGMENT SOFTWARE HERE!
From here it is much easier to point some configuration managment software at the jail and have that do all the heavy lifting.
