Need to call chroot under normal unprevileged user

gazolinia

Its been last two days over after my search started . But I didn't find answer any where ?. I need to call chroot as part of normal user, but to my surprise it can only be called by SUper user with CAP_SYS_CHROOT capabilities. I am not sure how to add this capability to my user . Please help me in solving my situation.

mfillpot

You are correct that chroot can only be called by the root user, this is because of potential security risks relating to privileged escalation inside the chrooted container, please read http://en.wikipedia.org/wiki/Chroot.

However depending on what exactly you are trying to accomplish it may be possible to restrict users inside a chrooted contained by using daemon application settings or it may even be better to refine the user rights and leave them inside the standard filesystem.

Please tell us what exactly you are trying to do and we can offer our recommendation for properly securing the user actions.

gazolinia

Hi,

Thanks for your immediate reponse. My only requirement is I call chroot from a perl script . This perl script needs to run under normal user . I am using grsecurity to avoid double chroot and breaking of chroot issues. Currently the point where I stand is I must run the perl script under un previleged user, but it should do chroot. Seems little wierd right , but this is what my application requires now . Adding capablility CAP_SYS_CHROOT to the normal user I guess must solve my requirement. But I am not sure how to add this capablity to my user.

Hope you got my requirements.

Thanks
Jai

mfillpot

I must work now, I will research this item more when I get home this evening. Hopefully someone else can chime in with an answer before I return.

woboyle

Part of the problem, besides the need to run chroot as root user is the fact that the directory that is the new root directory must contain all the commands, files, libraries that will be needed during the time chroot is in process. Please provide some rationale why you think you need to do a chroot in your perl script. What exactly are you trying to accomplish?

gazolinia

Hi,

My requirement is simple, Apache receives request and calls my perl handler. The handler script needs to identify which script it needs to run and based on this it needs to go to the particular chroot jail and run the script securely, btw it prints the output to response. We have this new roots already created with necessary libraries and binaries. Hope you got my req .

Thanks,
Jai

woboyle

Jaya,

Just how many forums have you posted this question to, anyway? I know of at least 3 or 4. The fact of the matter is, to do what you want is a gross violation of system security. You can set up the user's login to do a chroot when they first login to the system, but to allow something like a perl script the ability to do a chroot is just plain dangerous! Maybe if you described what your REAL problem is, we could make some suggestions on how to accomplish your real goals.

gazolinia

Hi,

Desperation to find answer made me to post in different forums . But this is the thing finally required, I need to add CAP_SYS_CHROOT capability to my user, because only users with CAP_SYS_CHROOT can call chroot. This will solve all my requirements . I guess I am making things look tough by saying all unwanted details.

Thanks,
Jai

gazolinia

HI finally we planned to over write the chroot method through LKM , guessing that will solve our problem.