While I can simply have e.g. sshd in a chroot environment ("chrootenv") listen to a different port than its parent ("parentenv"), it would be more convenient to have that environment have an additional IP and hostname and have sshd listen to that IP's port 22. So basically I'd like to set up a chroot environment such that it behaves like a separate host in the network. How can this be achieved? Or is this something LXC or user-mode Linux (which I lack experience with) is better suited for?
Gilles 'SO- stop being evil'
839k198 gold badges1.8k silver badges2.2k bronze badges
asked Nov 4, 2013 at 13:50
Add a comment
|
2 Answers
Normally, chroot is about "limiting privileges", not granting users their own IF to play with...
But in any case: if you feel like doing some work, you may start your chroot environment within a new network namespace. You find an introduction here. Then the last command, the one that places you into the new network namespace, which in the guide above is
ip netns exec NAME_OF_THE_NET_NS /bin/bash
can be followed by the usual set of commands,
sudo mount -o bind /proc /pathtochroot/proc
sudo mount -o bind /dev /pathtochroot/dev
sudo mount -o bind /dev/pts /pathtochroot/dev/pts
sudo mount -o bind /sys /pathtochroot/sys
sudo chroot /pathtochroot /bin/bash
and now you have your chroot with an IF.
But the question that follows is: don't you think that using a Linux container (LXC, OpenVZ,VServer) would be faster and simpler? Isn't a chroot with an interface the very same thing as a Linux container? Generally, when security issues are no concern, that's the way I go.
Edit:
Ok, I see your plight. Still, there is one possibility. Make two virtual interfaces on the same card, and make sure they both get an IP address from your DHCP. Now configure ssh to bind to one of them. You can do this both for the ssh client and for the ssh server. For the client, the instruction is
ssh -b ip.address.tobin.to
while for the server you need to use the instruction
ListenAddress ip.address.tobind.to
in the file /etc/ssh/sshd_config. This way you have forced the host to use only one interface. Then enter the chroot jail, and use the other interface. I am shaky on busybox capabilites, so I cannot state categorically that this will work. But it would work, if this were a chroot jail in a normal pc.
answered Nov 4, 2013 at 15:55
-
Thanks for your answer. The main reason I'm trying to do this with
chrootis that it's a very limited system (the Linux on a Buffalo LinkStation NAS) with no package manager, so I want to "amiplify" it's functionality with Gentoo. Unfortunately, it also only comes with busybox (1.7), theipcommand of which doesn't supportnetns... I'm pretty sure that the kernel doesn't support LXC, though the lack of source files makes that rather difficult (impossible?) to determine without compiling it. Commented Nov 5, 2013 at 8:00 -
Unfortunately the chrooted Gentoo's
ip netns add gentooyields aFailed to create a new network namespace "gentoo": Invalid argument- I guess that means the host kernel doesn't support net namespaces :( Commented Nov 7, 2013 at 8:28 -
Does it have netcat? And a named pipe? Or alternatively iptables? Commented Nov 7, 2013 at 9:32
-
It has busybox 1.7.0's
ncandmkfifo, if they provide enough functionality:ncsupports[-iN] [-wN] [-l] [-p PORT] [-f FILENAME|IPADDR PORTNUM] [-e COMMAND]andmkfifo-mCommented Nov 7, 2013 at 10:47 -
As a sidenote,
ip addr add ...does work, so if I accept that the host can also "see" the additional IP all I need to do is figure out how to make the hostsshdignore the secondary IP while the chrooted one shall listed to that one's port 22 Commented Nov 7, 2013 at 11:21
This tool could be handy:
chname Run command or interactive shell with a new system hostname
SYNOPSIS
chname hostname [command ...] DESCRIPTION
Create a new utsname namespace with a new system hostname and execute command. This is particularly useful for creating a chroot that has a hostname independent of the rest of the system.
This capability requires Linux 2.6.19 or later with CONFIG_UTS_NS=y.
works like a charm. The advantage over the recipe in the answer proposed by @MariusMatutiae is that it does not require to set up the namespace (add veth's e.t.c). The disadvantage - it does not allow to assign a separate IP address to the chrooted environment
