saleshorse blog

Learning chroot

Photo by Ivan Aleksic on Unsplash

Learning chroot

Create an isolated "jail" environment within Linux

Sharif Elkassed's photo
Sharif Elkassed
·

26 min read

Table of contents

I'm currently working on a side project that will allow users from the public Internet to access a Linux server that I manage.

As you might imagine, there are a host of security concerns that come along with this requirement. I started looking for solutions and came across the idea of a chroot.

NOTE: I will be learning as I write this. This post is not intended to be a tutorial, but more a log of my working sessions and debugging efforts with this topic -- recording my thought process and what I learned along the way in a very informal matter.

What is chroot?

The idea is to create an isolated environment for a user (or users) so that they are limited in what they can see and do.

This is similar to the idea of a Docker container, but not quite the same.

A chroot lives inside an existing Linux install. You can almost think of it as an operating system within an operating system. Even if there are technically other users outside the chroot, the users inside the chroot are not aware of their existence. This is why a chroot is sometimes referred to as a "chroot jail".

The root user within a chroot is a sort of pseudo root. They do have root privileges within their sectioned-off operating system (the chroot jail), but those root privileges are being provisioned by the true root user, the one who set up the chroot.

Chroot creation -- first pass

I'm currently using a Raspberry Pi as my development server for this project, so that is where I'll be implementing the chroot.

I start by following this guide. The instructions are for Ubuntu (which is not what the Raspberry Pi is running), but the instructions here are more clear to me than others I've found so I'm going to try and make it work.

I install the schroot and debootstrap packages as instructed, create my /var/chroot directory, then open the /etc/schroot/schroot.conf file. I know I probably need to make some changes, but for now, I just leave it the way they suggest:

# /etc/schroot/schroot.conf

[lucid]
description=Ubuntu Lucid
location=/var/chroot
priority=3
users=your_username
groups=sbuild
root-groups=root

Here's the command they give to install the operating system within the chroot:

sudo debootstrap --variant=buildd --arch i386 lucid /var/chroot/ http://mirror.url.com/ubuntu/

The instructions say I need to replace mirror.url.com with a valid mirror, so I find a Raspbian mirror online and give it a go:

sudo debootstrap --variant=buildd --arch i386 lucid /var/chroot/ http://raspbian.mirrors.lucidnetworks.net/raspbian/ # press enter

# output -- error
E: Failed getting release file http://raspbian.mirrors.lucidnetworks.net/raspbian/dists/lucid/Release

At first, I thought that I just needed to find a Raspbian mirror that had /lucid under the /dists directory. I wasn't finding one. Then I thought that changing lucid to jammy would work, because I thought I saw jammy somewhere...

So I tried it

sudo debootstrap --variant=buildd --arch i386 jammy /var/chroot/ https://mirror.vcu.edu/pub/gnu_linux/ubuntu/ # press enter

# output -- error
E: No such script: /usr/share/debootstrap/scripts/jammy

Even though it didn't work, at least it was a new error!

I decided to look at the contents of the mentioned /scripts/ directory and see what was listed:

ls -la /usr/share/debootstrap/scripts # press enter

# output
drwxr-xr-x 2 root root 4096 May 16 06:40 .
drwxr-xr-x 3 root root 4096 May 16 06:40 ..
-rw-r--r-- 1 root root 6044 Jul 13  2022 aequorea
-rw-r--r-- 1 root root 6639 Jul 13  2022 amber
lrwxrwxrwx 1 root root    5 Jul 28  2022 artful -> gutsy
lrwxrwxrwx 1 root root    3 Jul 28  2022 ascii -> sid
lrwxrwxrwx 1 root root    8 Jul 28  2022 bartholomea -> aequorea
lrwxrwxrwx 1 root root    3 Jul 28  2022 beowulf -> sid
lrwxrwxrwx 1 root root    5 Jul 28  2022 bionic -> gutsy
lrwxrwxrwx 1 root root    3 Jul 28  2022 bookworm -> sid
-rw-r--r-- 1 root root 5404 Jul 13  2022 breezy
lrwxrwxrwx 1 root root    3 Jul 28  2022 bullseye -> sid
# ... <omitted output> ...

Although lucid is listed here (not shown in the output), I stopped when I saw bullseye because I know that is what my Raspberry Pi is running.

I also did not realize that the different names (lucid, bullseye, etc.) corresponded to different versions of Debian. After looking into it a bit, I learned that lucid is quite old (Ubuntu 10.04), while bullseye is much newer (18.04 +).

With that, I change my configuration:

# /etc/schroot/schroot.conf

[bullseye]
description=Raspbian Bullseye
location=/var/chroot
priority=3
users=sharif
groups=sbuild
root-groups=root

Changing lucid to bullseye is easy enough, but the mirror is a bit more involved. First, I need to find a list of mirrors, then find a mirror that is close to my geographical location.

I find the United States mirror and view its contents in the browser. From the error message I received previously, I know that the command looks for the version inside the dists/ directory from the provided mirror URL.

I navigate to the dists/ directory within the browser, and see that bullseye/ is listed.

Bingo!

So I go ahead and update my command with the correct version and mirror:

sudo debootstrap --variant=buildd --arch i386 bullseye /var/chroot/ http://ftp.us.debian.org/debian

It runs for a while and gets further than any of the previous attempts, but there's an issue at the very end:

W: Failure trying to run: chroot "/var/chroot" /bin/true
W: See /var/chroot/debootstrap/debootstrap.log for details

What happened here is that the bullseye version of Linux installed successfully within my /var/chroot/ directory, but the system failed to open a shell within the chroot environment.

I follow the output instructions and view the contents of debootstrap.log. At the end of the log is a more detailed error:

chroot: failed to run command ‘/bin/true’: Exec format error

I Google this error, and the suggested fix is to:

  • install the qemu-user-static package (required for user emulation)

  • sudo cp /usr/bin/qemu-arm-static /path/to/mount/usr/bin

    • needed to adjust the path on the right side for my use case:

    • sudo cp /usr/bin/qemu-arm-static /var/chroot/

  • systemctl restart systemd-binfmt.service

Now I can try to launch the shell again:

sudo chroot /var/chroot # press enter

# output
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
I have no name!@raspberrypi:/#

I'm now logged in, but there's no user associated with the session:

whoami # press enter

# output
whoami: cannot find name for user ID 0: No such file or directory

Digging deeper

Going through the above guide did not get me where I wanted to be. It was a good start, but I wasn't sure how to add a user in the chroot, or why it was launched without a user in the first place.

The guide also referenced some mount commands that I wasn't familiar with.

The end of the guide also mentioned using schroot instead of chroot, but I felt like I could use a bit more detail.

The last thing that spooked me a bit was that it seemed to imply that doing things incorrectly could result in the accidental erasure of data. That's not what I want.

So I decided to poke around a bit for other resources so that I could broaden my understanding. Some of the references in the initial guide seemed to assume I was more familiar with Linux than I am, so maybe I can find some more beginner-friendly material.

I found this post, which seems to make things a bit more simple, so I follow along with its example.

Making another chroot

Following the Linode guide linked in the last section, I proceed to make a new chroot:

mkdir ~/chroot-jail # press enter 

sudo debootstrap bullseye ~/chroot-jail # press enter and wait for install

sudo chroot ~/chroot-jail /bin/bash

This time when the chroot launches, I am the root user. I also didn't need to mess with any mirrors or config files. So far, this is much better.

But I still need to learn how to do things in the chroot. I need to explore what I'm able to do, and what I'm not able to do. I also need to figure out what the users of my app should and shouldn't be able to do.

Lots of work ahead.

Let's keep following the guide; it says to install sudo, but I seem to need to do some work before I can get there because I get this error when I run apt install sudo:

E: Can not write log (Is /dev/pts mounted?) - posix_openpt (19: No such device)

Scrolling down in that section of the guide, I see that it instructs to mount the /dev/ directory inside the chroot, along with some other directories:

exit # exit the chroot

# back in main operating system
sudo mount --bind /proc ~/chroot-jail/proc/
sudo mount --bind /sys ~/chroot-jail/sys/
sudo mount --bind /dev ~/chroot-jail/dev/

# back into the chroot
sudo chroot ~/chroot-jail /bin/bash
apt install sudo # it works!

This is better so far, but now I'm starting to see the issue behind the mount points. In this configuration, a user could alter or delete a file in the /proc, /sys or /dev directories, and it would impact the main OS.

I can see that the next section in the guide mentions using schroot instead of chroot to limit the user's access.

schroot

I want to prevent the chroot user from having root access, even inside the chroot, as we have just seen that it has the potential to be dangerous.

Following the guide:

exit # exit the chroot

which schroot # make sure schroot is installed
/usr/bin/schroot # schroot is installed

sudo vim /etc/schroot/schroot.conf # edit the schroot.config file

[bullseye]
description=Raspbian Bullseye
location=/home/sharif/chroot-jail
priority=3
users=sharif
groups=sbuild
root-groups=root

# save the file and exit

schroot -c bullseye # run the schroot

# output

W: line 87 [bullseye] priority: Could not parse value ‘3’
W: line 86 [bullseye]: Obsolete key ‘location’ used
I: This option has been removed, and no longer has any effect
W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a di
fferent directory.
W: Falling back to directory ‘/’
W: Shell ‘/usr/bin/zsh’ not available: /usr/bin/zsh: Failed to stat file: No such file or directory
W: Falling back to shell ‘/bin/bash’

Going through the output line by line, I can start to see what's happening:

  • W: line 87 [bullseye] priority: Could not parse value ‘3’

    • the priority line was leftover from the first guide I followed. I'll remove it

  • W: line 86 [bullseye]: Obsolete key ‘location’ used

  • I: This option has been removed, and no longer has any effect

    • looks like another issue from the previous config file. I see in the new guide that the key has been updated to directory instead of location, so I make that change

  • W: Failed to change to directory ‘/home/sharif’: No such file or directory

  • I: The directory does not exist inside the chroot. Use the --directory option to run the command in a different directory.

    • it looks like I misunderstood what I was specifying in the config file. I thought I was pointing to the directory that the chroot was under, but it instead wants the directory to load inside the chroot

    • I assume I will need to first create a user inside the chroot, then point to that user's directory in the config file

  • W: Falling back to directory ‘/’

    • since there was no valid user for the chroot to load, we default to the root user directory

  • W: Shell ‘/usr/bin/zsh’ not available: /usr/bin/zsh: Failed to stat file: No such file or directory

  • W: Falling back to shell ‘/bin/bash’

    • I believe what happened here is that it tried to load zsh as my shell from the main operating system, because that is my user's default shell

    • This error should go away once I create a new user because their default shell will be bash and not zsh

So the first thing I need to do is create a user within the chroot. I remember now that I had to follow the guide's instructions out of order, and that there were steps on creating a user in the guide:

adduser chroot-test sudo
-bash: adduser: command not found

man useradd
-bash: man: command not found

$ which useradd
$ man useradd
-bash: man: command not found

Looks like I'm not able to add users within the chroot. I'll try installing the package(s) it calls out:

$ apt-get install man
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?
$ pwd
/
$ whoami
whoami: cannot find name for user ID 1000

Ah, that's right. I'm still in the chroot that was launched with schroot, not the initial one I launched to install sudo. So I'll switch back to that:

exit #exit schroot

sudo chroot ~/chroot-jail /bin/bash # enter elevated chroot

useradd -m chroot-user # add user with home directory

ls /home # test to see if home directory was created
# output
chroot-user

usermod -aG sudo chroot-user # add user to sudo group

groups chroot-user # make sure sudo is listed
#output
chroot-user : chroot-user sudo

Now I need to exit the chroot, go back to the schroot configuration file, and see if it works with my new user:

exit # exit chroot
sudo vim /etc/schroot/schroot.conf # edit the schroot.config file

[bullseye]
description=Raspbian Bullseye
directory=/home/sharif/chroot-jail
users=chroot-user
groups=sbuild
root-groups=root

# save and exit the file

schroot -c bullseye

E: Access not authorised
I: You do not have permission to access the schroot service
I: This failure will be reported.

sudo schroot -c bullseye

W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Falling back to directory ‘/root’

exit # exit the chroot

sudo vim /etc/schroot/schroot.conf # edit the schroot.config file

[bullseye]
description=Raspbian Bullseye
directory=/home/chroot-user
users=chroot-user
groups=sbuild
root-groups=root

# save and exit the file

sudo schroot -c bullseye
E: Failed to change to directory ‘/home/chroot-user’: No such file or directory

Seems to be some sort of circular logic here. I look back at the guide and see that it specifically says the user we are using in the chroot must match the user we are using to access the chroot.

I read this as: I need to also create a chroot-user in the actual operating system before I can use it in the chroot.

But, I'm tired, and sort of did the opposite by adding a sharif user to the chroot. Let's look at the effects of this mistake before correcting it:

sudo chroot ~/chroot-jail /bin/bash # enter chroot


useradd -m sharif

ls /home
chroot-user  sharif

groups sharif
sharif : sharif

sudo usermod -aG sudo sharif

exit # exit chroot

sudo vim /etc/schroot/schroot.conf 

[bullseye]
description=Raspbian Bullseye
directory=/home/sharif/chroot-jail
users=sharif
groups=sbuild
root-groups=root

# save and exit the file

schroot -c bullseye # enter chroot

W: Shell ‘/usr/bin/zsh’ not available: /usr/bin/zsh: Failed to stat file: No such file or directory
W: Falling back to shell ‘/bin/bash’
chroot-user@raspberrypi:~$ pwd
/home/sharif
chroot-user@raspberrypi:~$ whoami
chroot-user
chroot-user@raspberrypi:~$ cd ..
chroot-user@raspberrypi:/home$ ls
chroot-user  sharif
chroot-user@raspberrypi:/home$ cd sharif/
chroot-user@raspberrypi:~$ ls -la
total 20
drwxr-xr-x 2 sharif sharif 4096 May 17 11:59 .
drwxr-xr-x 4 root   root   4096 May 17 11:59 ..
-rw-r--r-- 1 sharif sharif  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 sharif sharif 3526 Mar 27  2022 .bashrc
-rw-r--r-- 1 sharif sharif  807 Mar 27  2022 .profile
chroot-user@raspberrypi:~$ pwd
/home/sharif
chroot-user@raspberrypi:~$ cd ../chroot-user/
chroot-user@raspberrypi:/home/chroot-user$ ls -la
total 20
drwxr-xr-x 2 chroot-user chroot-user 4096 May 17 11:41 .
drwxr-xr-x 4 root        root        4096 May 17 11:59 ..
-rw-r--r-- 1 chroot-user chroot-user  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 chroot-user chroot-user 3526 Mar 27  2022 .bashrc
-rw-r--r-- 1 chroot-user chroot-user  807 Mar 27  2022 .profile
chroot-user@raspberrypi:/home/chroot-user$ exit

So the problem is that I am logged into the chroot as the correct user, chroot-user, but there are some issues

  • the chroot starts in the /home/sharif directory

  • the sharif user should not be on the system (I want a dedicated chroot for each user)

The first logical step is to remove the sharif user from the chroot:

schroot -c bullseye
cd /home/chroot-user

sudo userdel -r sharif

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chroot-user:

Oops, I never set a password when I created chroot-user. Let's see if I can fix that from within the chroot:

passwd chroot-user
Changing password for chroot-user.
Current password:

Hm, I'm prompted for a password when trying to change the password. That won't do. Let me try in the original chroot:

exit

sudo chroot ~/chroot-jail /bin/bash

ls /home
chroot-user  sharif

userdel -r sharif
userdel: sharif mail spool (/var/mail/sharif) not found

# userdel gives an error, but the deletion still worked

ls /home
chroot-user

# try setting a password for chroot-user now as root
passwd chroot-user
New password:
Retype new password:
passwd: password updated successfully

cat /etc/passwd # confirm that user sharif is not listed

Now I can do what I should have done originally -- create chroot-user on the base OS

exit # exit chroot

sudo adduser chroot-user # accept all default prompts
sudo adduser chroot-user sudo

Now I need to adjust the schroot config again to make sure it points to the right user directory:


sudo vim /etc/schroot/schroot.conf

[bullseye]
description=Raspbian Bullseye
directory=/home/sharif/chroot-jail
users=chroot-user # the only line that was changed
groups=sbuild
root-groups=root

# save and exit the file

schroot -c bullseye

# output 
E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c bullseye
W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Falling back to directory ‘/root’

I think I finally understand the issue (at least partially).

It's trying to start the chroot from the base OS in the directory /home/sharif/chroot-jail, which does exist -- but that path (up until /chroot-jail also needs to be mirrored in the chroot OS, and since I removed thesharif user from the chroot, it no longer exists.

I believe the directory key will force the directory to be created on the base OS if it isn't already, but it can't create a folder in the chroot OS.

Time to try it out

sudo vim /etc/schroot/schroot.conf

[bullseye]
description=Raspbian Bullseye
directory=/home/chroot-user/chroot-jail # changed this line
users=chroot-user 
groups=sbuild
root-groups=root

# save and exit the file

schroot -c bullseye

E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c bullseye

E: Failed to change to directory ‘/home/chroot-user/chroot-jail’: No such file or directory

Okay, so I think the issue is that I set up the chroot-jail folder under my sharif user, and I now need to move it to chroot-user for the above to work:

sudo mv /home/sharif/chroot-jail /home/chroot-user/

ls ~/ # confirm chroot-user is no longer in my user's home directory

ls /home/chroot-user
chroot-jail

schroot -c bullseye
E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c bullseye
W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.

And now I am back to being confused. I am not sure why the chroot is trying to access /home/sharif because it is not referenced in the configuration file.

I source my shell, then get a more fitting error message:

source ~/.zshrc

sudo schroot -c bullseye

E: Failed to change to directory ‘/home/chroot-user/chroot-jail ’: No such file or directory

ls /home/chroot-user
chroot-jail

The folder looks like it's there. so maybe it's a permissions issue?

 ls -la /home/chroot-user

drwxr-xr-x  3 chroot-user chroot-user 4096 May 17 09:55 .
drwxr-xr-x  5 root        root        4096 May 17 09:41 ..
-rw-r--r--  1 chroot-user chroot-user  220 May 17 09:41 .bash_logout
-rw-r--r--  1 chroot-user chroot-user 3523 May 17 09:41 .bashrc
drwxr-xr-x 17 root        root        4096 May 17 05:48 chroot-jail

Maybe it's because the chroot-jail folder is owned by root?

sudo chown chroot-user:chroot-user /home/chroot-user/chroot-jail

ls -la /home/chroot-user

drwxr-xr-x  3 chroot-user chroot-user 4096 May 17 09:55 .
drwxr-xr-x  5 root        root        4096 May 17 09:41 ..
-rw-r--r--  1 chroot-user chroot-user  220 May 17 09:41 .bash_logout
-rw-r--r--  1 chroot-user chroot-user 3523 May 17 09:41 .bashrc
drwxr-xr-x 17 chroot-user chroot-user 4096 May 17 05:48 chroot-jail
-rw-r--r--  1 chroot-user chroot-user 1670 May 17 09:41 .mkshrc
-rw-r--r--  1 chroot-user chroot-user  807 May 17 09:41 .profile

schroot -c bullseye
E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c bullseye
E: Failed to change to directory ‘/home/chroot-user/chroot-jail ’: No such file or directory

sudo vim /etc/schroot/schroot.conf 

# change directory to /home/chroot-user (take off '/chroot-jail')

schroot -c bullseye

E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c bullseye

W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Failed to change to directory ‘/root’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Falling back to directory ‘/’
W: Shell ‘/bin/bash’ not available: /bin/bash: Failed to stat file: No such file or directory
W: Shell ‘/bin/sh’ not available: /bin/sh: Failed to stat file: No such file or directory
W: Falling back to shell ‘/bin/sh’
E: Failed to execute “/bin/sh”: No such file or directory

Now I get even more errors! My understanding of the configuration needs a little work. One thing that I can say is that it seems related to file permissions between the base OS and the chroot.

I decide to look up the documentation for schroot, and it looks like I might need to specify my chroot type as directory :

# /etc/schroot/schroot.conf
[bullseye]
description=Raspbian Bullseye
type=directory # added this line
directory=/home/chroot-user/chroot-jail # changed this line
users=chroot-user
groups=sbuild
root-groups=root
# save the file

schroot -c bullseye
E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c bullseye

I know that I should be able to run the schroot -c bullseye command without elevated permissions. When I get an error, I know that there is something amiss with the configuration. However, when I run it with sudo, I typically get some more information about why the command failed.

This time, when I run it with sudo, I get no errors, but I still don't get the desired behavior. For one, it puts me in the /home/sharif directory on the base OS, not the chroot. Even worse, when I run a whoami, I get back root.

I need to understand why this is happening. I think I will try un-commenting one of the more basic-looking configs in the schroot.conf file and see what happens:

[sid]
description=Debian sid (unstable)
directory=/srv/chroot/sid
users=rleigh # changing this to 'chroot-user'
groups=sbuild
root-groups=root
aliases=unstable,default
# save the file

schroot -c sid

E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

sudo schroot -c sid
E: Failed to change to directory ‘/srv/chroot/sid’: No such file or directory

Running the command with sudo gives an error that the directory doesn't exist, so I create it and try again:

sudo mkdir -p /srv/chroot/sid

sudo schroot -c sid

W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Failed to change to directory ‘/root’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Falling back to directory ‘/’
W: Shell ‘/bin/bash’ not available: /bin/bash: Failed to stat file: No such file or directory
W: Shell ‘/bin/sh’ not available: /bin/sh: Failed to stat file: No such file or directory
W: Falling back to shell ‘/bin/sh’
E: Failed to execute “/bin/sh”: No such file or directory

So, this is strange... even though there is no reference to /home/sharif in the config file, it is looking for that directory in the chroot. Did I maybe mess something up with the chroot-user ?

I decide to look back at the guide I was originally following, and start fresh. Maybe I will notice something that I didn't before, now that I have a bit more experience with it.

I start by deleting the chroot-jail folder that I tried to assign to the chroot-user, delete the user, recreate the chroot-jail folder, and reinstall the chroot OS there:

sudo rm -rf /home/chroot-user/chroot-jail

sudo userdel -r chroot-user

mkdir ~/chroot-jail

sudo debootstrap bullseye ~/chroot-jail

The install runs for a while, but ends with an error when trying to run the chroot:

W: Failure trying to run: chroot "/home/sharif/chroot-jail" dpkg --force-overwrite --force-confold --skip-same-version -
-install /var/cache/apt/archives/libapparmor1_2.13.6-10_armhf.deb /var/cache/apt/archives/libargon2-1_0~20171227-0.2_arm
hf.deb /var/cache/apt/archives/libcryptsetup12_2%3a2.3.7-1+deb11u1_armhf.deb /var/cache/apt/archives/libip4tc2_1.8.7-1_a
rmhf.deb /var/cache/apt/archives/libjson-c5_0.15-2_armhf.deb /var/cache/apt/archives/libkmod2_28-1_armhf.deb /var/cache/
apt/archives/libcap2_1%3a2.44-1_armhf.deb /var/cache/apt/archives/dmsetup_2%3a1.02.175-2.1_armhf.deb /var/cache/apt/arch
ives/libdevmapper1.02.1_2%3a1.02.175-2.1_armhf.deb /var/cache/apt/archives/systemd_247.3-7+deb11u2_armhf.deb

W: See /home/sharif/chroot-jail/debootstrap/debootstrap.log for details (possibly the package systemd is at fault)

The first message is a bit tough to unpack, so I go to the second, which gives me a file path for a log that I can view:

cat /home/sharif/chroot-jail/debootstrap/debootstrap.log # press enter

# last part of output:
dpkg: error processing package systemd (--install):
 installed systemd package post-installation script subprocess returned error exit status 73

Processing triggers for libc-bin (2.31-13+deb11u6) ...
Errors were encountered while processing:
 systemd

The dpkg error seems more specific, so I start by googling that.

I end up on this post, and give the accepted answer a try:

stat / /dev /var # press enter

It looks like root is the owner of all those directories, so I believe my problem is a different one. The post above gives credit to another post, which has another answer that includes removing /var/lib/dpkg/info/systemd*. Somebody in the comments said this fixed the problem, but now they have warnings about missing files when they use apt-get to install something. I'm not sure if I like this solution.

I decide to go back to my Google search results. Another post suggests running sudo apt update:

sudo apt update

Now I should be able to try and run the chroot again since the install worked; the problem is with launching the chroot. Time to see if the update fixed it:

sudo chroot ~/chroot-jail /bin/bash

This works, but now the problem is that I'm using chroot, which gives full access to the chroot, when I need to be using schroot for limited access.

I continue following the instructions in the guide:

# in the chroot
adduser sharif# go through the prompts to set a password and info
adduser sharif sudo

# exit chroot
exit

# mount per instructions
sudo mount --bind /proc ~/chroot-jail/proc/
sudo mount --bind /sys ~/chroot-jail/sys/
sudo mount --bind /dev ~/chroot-jail/dev/

# /etc/schroot/schroot.conf
[bullseye]
description=Raspbian Bullseye
directory=/home/sharif/chroot-jail
users=sharif
groups=sbuild
root-groups=root
aliases=bullseye
# save the file

# run schroot
schroot -c bullseye

It works! The issue was that the user you are launching the command as in the base operating system must match the user in the chroot. I was only halfway there before since I had a matching user in the chroot, but I was not executing the command as that user from the base OS.

Now, the issue is that I don't think the sharif user in the chroot should have root privileges, but my sharif user in the base OS does have root privileges. I think I need to do this again, but with a non-elevated user on both sides:

# remove the chroot-jail folder for my sharif user
sudo rm -rf ~/chroot-jail

# output gives a bunch of 'Permission denied' errors

Ah, that's right. I need to follow the instructions for removing a chroot.

sudo umount ~/chroot-jail/dev
sudo umount ~/chroot-jail/sys
sudo umount ~/chroot-jail/proc

# output
git_prompt_info:3: permission denied: /dev/null
# end output
sudo rm -R ~/chroot-jail

git_prompt_info:3: permission denied: /dev/null

It looks like the removal worked, but I'm not sure what the error is for, so back to Google..

Looks like rebooting the system will do the trick:

sudo reboot

Now I need to create the non-root user in the base OS, install the chroot jail under their user this time, then add the user in the chroot:

sudo adduser schrooty # press enter

# go through propts to set password, name etc.

# switch users
su - schrooty # press enter
# enter password

# follow chroot instructions
mkdir ~/chroot-jail

And it is at this point that I realize that I was incorrect in my thought process. Following the instructions for setting up the chroot, sudo is required. That means that I either need to:

  • run the commands as my sharif user in the base OS, and point to /home/schrooty/root-jail when I install and run chroot

  • create another user that I add to sudo, which will be used for managing the chroot (I don't want to manage it with my normal user account that I use for everything else)

It's also worth calling out that I'm not sure if the chroot user needs to own the chroot-jail folder, or if it needs to be owned by root. I assume it needs to be owned by the chroot user, as the instructions do not say to run the mkdir command with sudo

It may also be the case that the folder needs to be owned by whatever user is spawning the chroot.

# switch back to sharif user
su - sharif # press enter
# enter password

# follow instructions, but pointing to schrooty
sudo debootstrap bullseye /home/schrooty/chroot-jail

# output
W: Failure trying to run: chroot "/home/schrooty/chroot-jail" dpkg --force-overwrite --force-confold --skip-same-version --install /var/cache/apt/archives/libapparmor1_2.13.6-10_armhf.deb /var/cache/apt/archives/libargon2-1_0~20171227-0.2_armhf.deb /var/cache/apt/archives/libcryptsetup12_2%3a2.3.7-1+deb11u1_armhf.deb /var/cache/apt/archives/libip4tc2_1.8.7-1_armhf.deb /var/cache/apt/archives/libjson-c5_0.15-2_armhf.deb /var/cache/apt/archives/libkmod2_28-1_armhf.deb /var/cache/apt/archives/libcap2_1%3a2.44-1_armhf.deb /var/cache/apt/archives/dmsetup_2%3a1.02.175-2.1_armhf.deb /var/cache/apt/archives/libdevmapper1.02.1_2%3a1.02.175-2.1_armhf.deb /var/cache/apt/archives/systemd_247.3-7+deb11u2_armhf.deb

W: See /home/schrooty/chroot-jail/debootstrap/debootstrap.log for details (possibly the package systemd is at fault)

It's the same error I got last time. I guess running the update didn't do anything. I decide to ignore the warning and try to run the chroot:

sudo chroot /home/schrooty/chroot-jail /bin/bash # press enter

# successfully launched chroot
# now in chroot
adduser schrooty # press enter
# go through prompts to create user and set password
# exit chroot
exit

# back in base OS (as user sharif)
sudo mount --bind /proc /home/schrooty/chroot-jail/proc/
sudo mount --bind /sys /home/schrooty/chroot-jail/sys/
sudo mount --bind /dev /home/schrooty/chroot-jail/dev/

# configure schroot
sudo vim /etc/schroot/schroot.conf

[bullseye]
description=Raspbian Bullseye
directory=/home/schrooty/chroot-jail
users=schrooty
groups=sbuild
root-groups=root
aliases=bullseye
# save and exit the file

# attempt to launch schroot
schroot -c bullseye
W: line 91 [bullseye] aliases: Alias ‘bullseye’ already associated with ‘unknown’ chroot
E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

# is the problem with the alias?
sudo vim /etc/schroot/schroot.conf
# remove alias and save file

# nope, didn't fix it
schroot -c bullseye
E: Access not authorised
I: You do not have permission to access the schroot service.
I: This failure will be reported.

# try with sudo
sudo schroot -c bullseye
W: Failed to change to directory ‘/home/sharif’: No such file or directory
I: The directory does not exist inside the chroot.  Use the --directory option to run the command in a different directory.
W: Falling back to directory ‘/root’

# maybe I need to run this as schrooty?
# exit chroot (since it launched as root -- not what I want)
exit
su - schrooty
schroot -c bullseye # success!

It works this time, but there are some issues:

  • the prompt shows up as I have no name!@raspberrypi

  • running groups yields: groups: cannot find name for group ID 1003

  • running whoami yields: whoami: cannot find name for user ID 1002

However, the chroot did launch in the correct directory: /home/schrooty. The problem seems to be that it's not launching the session as schrooty.

After looking online, I learn that is not the reason for this behavior. It is because files like /etc/passwd and /etc/shadow are not present in the chroot, so they need to be mounted like the other directories from the config instructions.

I will keep this post as reference, as the answer was given by the author of the schrooty package

# exit chroot
exit

# switch back to sharif user so I can use sudo
su - sharif 
# enter password

# mount files
sudo mount --bind /etc/passwd /home/schrooty/chroot-jail/etc/passwd
sudo mount --bind /etc/shadow /home/schrooty/chroot-jail/etc/shadow

# switch back to schrooty
su - schrooty
# enter password

# launch chroot
schroot -c bullseye

# prompt now has username -- schrooty@raspberrypi:~ $
whoami
# output
schrooty

groups
#output
groups: cannot find name for group ID 1003

Much better! Except I now need to copy the file for groups over to the chroot:

# exit chroot
exit

# switch users
su - sharif

# mount file
sudo mount --bind /etc/group /home/schrooty/chroot-jail/etc/group

# switch users
su - schrooty

# luanch chroot
schroot -c bullseye

pwd # outputs /home/schrooty
whoami # outputs schrooty
groups # outputs schrooty

After alllll of this, I decided to look into how secure chroot (even with schroot) actually is...

And it's not good. It looks relatively easy to exploit.

It looks like a Docker container is going to give me what I'm after, but I still think this was a good exercise.

So, stay tuned for the Docker version of this one I guess 😅

Linuxlinux for beginnerscontainersSecurity