[SOLVED] How to let normal user run chroot without password?

ss · 2018-06-23 16:55:30

I use the quark webserver together with the sw webpage generator to serve some simple webpages to a local network so that I can preview them before uploading to internet.
I have a Makefile which allows me to rebuild and host the website easily.

SOURCEDIR=/path/to/mysite
DESTDIR=/path/to/mysite.static
IP=192.168.0.99

all:
    sw $(SOURCEDIR)
clean:
    rm -rf $(DESTDIR)
serve:
    sudo quark -h "${IP}" -p 8888 -g http -d $(DESTDIR)

However, quark use chroot, and I need to run sudo and type a password everytime I rebuild the site.

I added the following line in /etc/sudoers with visudo, but it doesn't work. I have no idea why. The other shutdown commands in the same line do work.

%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/shutdown, /usr/bin/chroot

1. Is it really a bad idea to allow a normal user to run chroot without password? ( I'm the only one using the computer)
2. How should I solve the problem in this situation?

Last edited by ss (2018-06-23 21:26:34)

ss · 2018-06-23 17:05:24

ss wrote:

I use the quark webserver together with the sw webpage generator to serve some simple webpages to a local network so that I can preview them before uploading to internet.
I have a Makefile which allows me to rebuild and host the website easily.

SOURCEDIR=/path/to/mysite
DESTDIR=/path/to/mysite.static
IP=192.168.0.99

all:
    sw $(SOURCEDIR)
clean:
    rm -rf $(DESTDIR)
serve:
    sudo quark -h "${IP}" -p 8888 -g http -d $(DESTDIR)

Moreover, how could I update the pages without restarting the webserver? With make serve running in another terminal, I thought I could edit the markdown files in a text editor, then run make clean && make to regenerate the static pages. But I got 403 error in the browser. EDIT: I get 404 error, although I remember it was 403, but can't reproduce it anymore, maybe I just misread the message.

Strangely, if I manually edit the html files of the static site, I can see the update in a web browser without restarting quark. What am I missing here?

Last edited by ss (2018-06-23 17:23:43)

loqs · 2018-06-23 17:08:33

sudo quark -h "${IP}" -p 8888 -g http -d $(DESTDIR)

sudo encounters the above and has no match for that in

%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/shutdown, /usr/bin/chroot

so it prompts for the password before quark internally uses sudo chroot?

ss · 2018-06-23 17:21:00

loqs wrote:

sudo quark -h "${IP}" -p 8888 -g http -d $(DESTDIR)
sudo encounters the above and has no match for that in
%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/shutdown, /usr/bin/chroot
so it prompts for the password before quark internally uses sudo chroot?

Now I have tried the following

%wheel ALL=(ALL) NOPASSWD: /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/shutdown, /usr/bin/chroot, /usr/local/bin/quark

And then ran quark in a terminal, got the same permission denied message.

$ quark -h localhost -p 8888 -g http -d /path/to/mysite.static
quark: chroot .: Operation not permitted

loqs · 2018-06-23 17:25:10

If you run `sudo quark -h localhost -p 8888 -g http -d /path/to/mysite.static`?
Edit:
https://git.suckless.org/quark/tree/main.c#n266
Are you sure quark uses sudo?

Last edited by loqs (2018-06-23 17:27:37)

ss · 2018-06-23 17:58:06

loqs wrote:

If you run `sudo quark -h localhost -p 8888 -g http -d /path/to/mysite.static`?
Edit:
https://git.suckless.org/quark/tree/main.c#n266
Are you sure quark uses sudo?

`sudo quark -h localhost -p 8888 -g http -d /path/to/mysite.static` will prompt for the password of my normal user, then it will run.
I'm not sure about quark using sudo or not, and can't figure out from the source code. Sorry.

I have tried the following:

Here are all the code I could find about chroot.

main.c
----
		/* chroot */
		if (chdir(servedir) < 0) {
			die("chdir '%s':", servedir);
		}
		if (chroot(".") < 0) {
			die("chroot .:");
		}

It uses chdir. After briefly reading man chdir, I am really not sure why does it need superuser privilege.
I also search the text "chroot .: Operation not permitted" through the whole source, but couldn't find any match. So it seems that it does come from an existing program, and probably chroot?

ss · 2018-06-23 18:05:14

EDIT: It does use chroot, doesn't it?

if (chroot(".") < 0) {
			die("chroot .:");
		}

from man 2 chroot

chroot() changes the root directory of the calling process to that specified in path. This directory will be used for pathnames beginning with /. The root directory is inher‐
ited by all children of the calling process.
Only a privileged process (Linux: one with the CAP_SYS_CHROOT capability in its user namespace) may call chroot().

But what does it mean in the practice, especially from the perspective of users? Linux: one with the CAP_SYS_CHROOT capability in its user namespace

loqs · 2018-06-23 18:26:06

It uses the chroot system call so it needs to be run by a user with CAP_SYS_CHROOT which means the root user unless you enable unprivileged usernamespaces.
Not sure why `sudo quark -h localhost -p 8888 -g http -d /path/to/mysite.static` is prompting for a password. The binary is located at /usr/local/bin/quark ?

seth · 2018-06-23 18:29:53

Is your user in the wheel group?

groups

ss · 2018-06-23 18:42:36

seth wrote:

Is your user in the wheel group?
groups

Yes.

$ groups
users video input wheel myuser

seth · 2018-06-23 19:12:20

loqs wrote:

The binary is located at /usr/local/bin/quark ?

type quark

ss · 2018-06-23 19:27:02

The binary path is OK.

$ type quark
quark is /usr/local/bin/quark

ss · 2018-06-23 19:29:41

loqs wrote:

It uses the chroot system call so it needs to be run by a user with CAP_SYS_CHROOT which means the root user unless you enable unprivileged usernamespaces.

How to enable unprivileged usernamespaces for a normal user?

loqs · 2018-06-23 19:45:40

Enable_support_to_run_unprivileged_containers but you would still need something to create the new namespace.
That also does not explain the issue with sudo.

seth · 2018-06-23 19:59:17

I'd also focus on the sudo issue first - this doesn't sound benign.

type sudo

Also try whether you can add other commands there, eg. "/usr/bin/lscpu" or (to check on path resolution issues) "lscpu".

loqs · 2018-06-23 20:02:43

`sudo poweroff` `sudo shutdown` `sudo reboot` all work without password prompt?
`poweroff` `shutdown` `reboot` also work without password?

ss · 2018-06-23 20:26:48

$ type sudo
sudo is hashed (/usr/bin/sudo)

loqs wrote:

`sudo poweroff` `sudo shutdown` `sudo reboot` all work without password prompt?
`poweroff` `shutdown` `reboot` also work without password?

Yes. These commands, which I added earlier before quark to /etc/sudoers, all work as expected. `sudo command` doesn't prompt password. `command` works directly.

However, now I cannot add any new commands to NOPASSWORD by editing /etc/sudoers anymore. Since lspci, lscpu already work without password, so I tried `/usr/bin/powertop`, but got the same result as quark. Password is asked.

seth · 2018-06-23 20:37:57

It does not matter whether lspci "works" w/o root permissions since you'll have to invoke "sudo lspci" to test it anyway.
Anyway: what if you move the /usr/bin/powertop" before the chroot entry?

Also check the output of "sudo -ll"

ss · 2018-06-23 21:04:42

$ sudo -ll
User myuser may run the following commands on myhost:

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        /usr/bin/powertop
        /usr/bin/poweroff
        /usr/bin/reboot
        /usr/bin/shutdown
        /usr/local/bin/quark
        /usr/bin/chroot
        /usr/bin/lscpu

`sudo lscpu` does not ask for password.
Now I put /usr/bin/powertop before chroot, but it seems to have the same result.

]$ powertop
PowerTOP v2.9 must be run with root privileges.
exiting...

I also find out that `sudo quark`, `sudo powertop` don't prompt for password anymore. But

$quark -h localhost -p 8888 -g http -d /path/to/mysite.static
quark: chroot .: Operation not permitted

same as powertop.

seth · 2018-06-23 21:09:22

Dude, you still have to run "sudo powertop" - sudo is not like the SUID…

ss · 2018-06-23 21:13:34

Is that the expected behavior? I need to run `sudo quark`, but don't have to give the password. So I have misunderstood the poweroff and shutdown? I thought by adding those commands to `%wheel ALL=(ALL) NOPASSWD:` it allows me to drop sudo.

ss · 2018-06-23 21:15:34

seth wrote:

Dude, you still have to run "sudo powertop" - sudo is not like the SUID…

OK. Then why I don't have to run "sudo poweroff"? I remember if I don't edit /etc/sudoers, I can't run poweroff and shutdown as normal user. What is the relevant man or wiki page to read?

seth · 2018-06-23 21:18:40

ss wrote:

I need to run `sudo quark`, but don't have to give the password.

Yes.

ss wrote:

I thought by adding those commands to `%wheel ALL=(ALL) NOPASSWD:` it allows me to drop sudo.

God god: NOOOO!! Sudo *allows* you to elevate privs, it doesn't enforce that behavior. You'd end up inadvertidly running things as root.

You can "poweroff" because you're the active user, see https://wiki.archlinux.org/index.php/al … o_shutdown

ss · 2018-06-23 21:26:01

seth wrote:

God god: NOOOO!! Sudo *allows* you to elevate privs, it doesn't enforce that behavior. You'd end up inadvertidly running things as root.
You can "poweroff" because you're the active user, see https://wiki.archlinux.org/index.php/al … o_shutdown

Now I see. That was embarrassing. Thank you for taking your time to explain.

ss · 2018-06-23 21:32:09

The problem is solved. But there is still one thing I don't understand. It did indeed prompt password for `sudo quark` etc. But I don't see which thing I have changed produce the correct behavior for now.
Anyway, many thanks for the help.

Arch Linux

#1 2018-06-23 16:55:30

[SOLVED] How to let normal user run chroot without password?

#2 2018-06-23 17:05:24

Re: [SOLVED] How to let normal user run chroot without password?

#3 2018-06-23 17:08:33

Re: [SOLVED] How to let normal user run chroot without password?

#4 2018-06-23 17:21:00

Re: [SOLVED] How to let normal user run chroot without password?

#5 2018-06-23 17:25:10

Re: [SOLVED] How to let normal user run chroot without password?

#6 2018-06-23 17:58:06

Re: [SOLVED] How to let normal user run chroot without password?

#7 2018-06-23 18:05:14

Re: [SOLVED] How to let normal user run chroot without password?

#8 2018-06-23 18:26:06

Re: [SOLVED] How to let normal user run chroot without password?

#9 2018-06-23 18:29:53

Re: [SOLVED] How to let normal user run chroot without password?

#10 2018-06-23 18:42:36

Re: [SOLVED] How to let normal user run chroot without password?

#11 2018-06-23 19:12:20

Re: [SOLVED] How to let normal user run chroot without password?

#12 2018-06-23 19:27:02

Re: [SOLVED] How to let normal user run chroot without password?

#13 2018-06-23 19:29:41

Re: [SOLVED] How to let normal user run chroot without password?

#14 2018-06-23 19:45:40

Re: [SOLVED] How to let normal user run chroot without password?

#15 2018-06-23 19:59:17

Re: [SOLVED] How to let normal user run chroot without password?

#16 2018-06-23 20:02:43

Re: [SOLVED] How to let normal user run chroot without password?

#17 2018-06-23 20:26:48

Re: [SOLVED] How to let normal user run chroot without password?

#18 2018-06-23 20:37:57

Re: [SOLVED] How to let normal user run chroot without password?

#19 2018-06-23 21:04:42

Re: [SOLVED] How to let normal user run chroot without password?

#20 2018-06-23 21:09:22

Re: [SOLVED] How to let normal user run chroot without password?

#21 2018-06-23 21:13:34

Re: [SOLVED] How to let normal user run chroot without password?

#22 2018-06-23 21:15:34

Re: [SOLVED] How to let normal user run chroot without password?

#23 2018-06-23 21:18:40

Re: [SOLVED] How to let normal user run chroot without password?

#24 2018-06-23 21:26:01

Re: [SOLVED] How to let normal user run chroot without password?

#25 2018-06-23 21:32:09

Re: [SOLVED] How to let normal user run chroot without password?

Board footer