You are not logged in.
- Topics: Active | Unanswered
#1 2012-09-11 00:09:53
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
chroot --userspec keeps root environment variables
So I'm trying to write a very simple chroot sandboxing script. I want zero suid binaries inside the sandbox, so I remount all the requisite directories ro,nosuid. I figure I can avoid using su (and get a slightly more secure sandbox) by using --userspec when chrooting into the sandbox.
This mostly works - it chroots in with the limited user's permissions. Unfortunately though, it somehow keeps all the environment variables from when it was running as root. These can be changed manually, but I figure there has to be a better way.
Is there? Or is this another case of Linux chroot not being designed for security?
Offline
#2 2012-09-11 01:17:16
- djgera
- Developer
- From: Buenos Aires - Argentina
- Registered: 2008-12-24
- Posts: 723
- Website
Re: chroot --userspec keeps root environment variables
execute with "env -i", or if you are using systemd, there is a much better tool: systemd-nspawn.;)
Offline
#3 2012-09-11 02:29:25
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: chroot --userspec keeps root environment variables
Close but not quite there, that just wipes all the environment variables. Any idea how I could get the default variables for $USER from there? Thanks, BTW.
Offline
#4 2012-09-11 16:25:24
- djgera
- Developer
- From: Buenos Aires - Argentina
- Registered: 2008-12-24
- Posts: 723
- Website
Re: chroot --userspec keeps root environment variables
Assign each one, for example:
chroot $BASE /usr/bin/env -i HOME=/root USER=root /bin/bash -lOffline