无根草根
uchroot的Python项目详细描述
没有根特权的chroot。
uchroot.py使用Linux用户名称空间和装载名称空间来创建 没有根的克洛特监狱。这并不是一个完全没有根的解决方案,因为 需要newuidmap和newgidmap set uid root helper函数(在ubuntu上, 与uidmap包一起安装)。
如果您只需要输入chroot,那么这个要求实际上是不必要的。 映射了单个用户ID的监狱。
要求
需要一个启用了用户名空间的linux(注意,red hat可以 默认情况下不会)和newuidmapsetuid帮助程序(安装 newuidmapubuntu包)。
要检查您的内核是否使用用户名空间构建,请访问ubuntu:
~$ cat /boot/config-`uname -r` | grep CONFIG_USER_NS CONFIG_USER_NS=y
在其他Linuxes上,请尝试:
~$ zcat /proc/config.gz | grep CONFIG_USER_NS
用法
usage: uchroot [-h] [-v] [-l {debug,info,warning,error}] [-s] [-c CONFIG]
[rootfs]
Chroot without root priviledges This is a pretty simple process spawner that
automates the construction of user and mount namespaces in order to create
chroot jails without root. It's not entirely a no-root solution because it
requires the newuidmap and newgidmap set-uid-root helper functions (on ubuntu,
installed with the uidmap package). This requirement is not necessary if you
only need to enter the chroot jail with a single user id mapped.
positional arguments:
rootfs path of the rootfs to enter
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-l {debug,info,warning,error}, --log-level {debug,info,warning,error}
Set the verbosity of messages
-s, --subprocess use subprocess instead of exec
-c CONFIG, --config CONFIG
Path to config file
--argv [ARGV [ARGV ...]]
--cwd CWD
--binds [BINDS [BINDS ...]]
--gid-range [GID_RANGE [GID_RANGE ...]]
--exbin EXBIN
--qemu QEMU
--uid-range [UID_RANGE [UID_RANGE ...]]
--identity [IDENTITY [IDENTITY ...]]
高级配置可以用python中的配置文件指定 格式。命令行参数覆盖配置中指定的选项 文件:
# The directory to chroot into
rootfs = "/tmp/rootfs"
# List of paths to bind into the new root directory. These binds are
# done inside a mount namespace and will not be reflected outside
# the process tree started by the script.
binds = [
"/dev/urandom",
"/etc/resolv.conf",
]
# If specified, indicates the path to a qemu instance that should be bound
# into the mount namespace of the jail
qemu = "/usr/bin/qemu-aarch64-static"
# After entering the jail, assume this [uid, gid]. [0, 0] for root.
identity = (0, 0)
# uids in the namespace starting at 1 are mapped to uids outside the
# namespace starting with this value and up to this many ids. Note that
# the uid range outside the namespace must lie within the current users
# allowed subordinate uids. See (or modify) /etc/subid for the range
# available to your user.
uid_range = (100000, 65536)
# Same as uid_map above, but for gids.
gid_range = (100000, 65536)
# Set the current working directory to this inside the jail
cwd = "/"
# The following variables specify what to execute after chrooting into the jail
# -----------------------------------------------------------------------------
# The path of the program to execute
exbin = "/bin/bash"
# The argument vector to expose as argv,argc to the called process
argv = ["bash"],
# The environment of the called process. Use an empty dictionary for an
# empty environment, or None to use the host environment.
env = {
# Any environment variable encountered as a list will be join()ed using
# path separator (':')
"PATH": [
# "/usr/local/sbin",
# "/usr/local/bin",
"/usr/sbin",
"/usr/bin",
"/sbin",
"/bin"
],
"DEBIAN_FRONTEND": "noninteractive",
"DEBCONF_NONINTERACTIVE_SEEN": "true",
"LC_ALL": "C",
"LANGUAGE": "C",
"LANG": "C"
}
欢迎加入QQ群-->: 979659372
