无根草根
uchroot的Python项目详细描述
没有根特权的chroot。
uchroot.py使用Linux用户名称空间和装载名称空间来创建 没有根的克洛特监狱。这并不是一个完全没有根的解决方案,因为 需要newuidmap和newgidmap set uid root helper函数(在ubuntu上, 与uidmap包一起安装)。
如果您只需要输入chroot,那么这个要求实际上是不必要的。 映射了单个用户ID的监狱。
要求
需要一个启用了用户名空间的linux(注意,red hat可以 默认情况下不会)和newuidmapsetuid帮助程序(安装 newuidmapubuntu包)。
要检查您的内核是否使用用户名空间构建,请访问ubuntu:
~$ cat /boot/config-`uname -r` | grep CONFIG_USER_NS CONFIG_USER_NS=y
在其他Linuxes上,请尝试:
~$ zcat /proc/config.gz | grep CONFIG_USER_NS
用法
usage: uchroot [-h] [-v] [-l {debug,info,warning,error}] [-s] [-c CONFIG] [rootfs] Chroot without root priviledges This is a pretty simple process spawner that automates the construction of user and mount namespaces in order to create chroot jails without root. It's not entirely a no-root solution because it requires the newuidmap and newgidmap set-uid-root helper functions (on ubuntu, installed with the uidmap package). This requirement is not necessary if you only need to enter the chroot jail with a single user id mapped. positional arguments: rootfs path of the rootfs to enter optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -l {debug,info,warning,error}, --log-level {debug,info,warning,error} Set the verbosity of messages -s, --subprocess use subprocess instead of exec -c CONFIG, --config CONFIG Path to config file --argv [ARGV [ARGV ...]] --cwd CWD --binds [BINDS [BINDS ...]] --gid-range [GID_RANGE [GID_RANGE ...]] --exbin EXBIN --qemu QEMU --uid-range [UID_RANGE [UID_RANGE ...]] --identity [IDENTITY [IDENTITY ...]]
高级配置可以用python中的配置文件指定 格式。命令行参数覆盖配置中指定的选项 文件:
# The directory to chroot into rootfs = "/tmp/rootfs" # List of paths to bind into the new root directory. These binds are # done inside a mount namespace and will not be reflected outside # the process tree started by the script. binds = [ "/dev/urandom", "/etc/resolv.conf", ] # If specified, indicates the path to a qemu instance that should be bound # into the mount namespace of the jail qemu = "/usr/bin/qemu-aarch64-static" # After entering the jail, assume this [uid, gid]. [0, 0] for root. identity = (0, 0) # uids in the namespace starting at 1 are mapped to uids outside the # namespace starting with this value and up to this many ids. Note that # the uid range outside the namespace must lie within the current users # allowed subordinate uids. See (or modify) /etc/subid for the range # available to your user. uid_range = (100000, 65536) # Same as uid_map above, but for gids. gid_range = (100000, 65536) # Set the current working directory to this inside the jail cwd = "/" # The following variables specify what to execute after chrooting into the jail # ----------------------------------------------------------------------------- # The path of the program to execute exbin = "/bin/bash" # The argument vector to expose as argv,argc to the called process argv = ["bash"], # The environment of the called process. Use an empty dictionary for an # empty environment, or None to use the host environment. env = { # Any environment variable encountered as a list will be join()ed using # path separator (':') "PATH": [ # "/usr/local/sbin", # "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin" ], "DEBIAN_FRONTEND": "noninteractive", "DEBCONF_NONINTERACTIVE_SEEN": "true", "LC_ALL": "C", "LANGUAGE": "C", "LANG": "C" }