Install Debian (based) Linux Distributions in a Folder (chroot)
Donate
How to create a chroot (change root) in a secure way using mmdebstrap and systemd-nspawn.
Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.
Chroot Use Cases[edit]
- See this list of chroot use cases in wikipedia
.
Chroot Security[edit]
chroot is not a security feature.
Examples[edit]
systemd-nspawn[edit]
Introduction[edit]
Quote Changing Roots:
systemd-nspawn tool which acts as chroot(1) on steroids
it makes use of file system and PID namespaces to boot a simple lightweight container on a file system tree.
It can be used almost like chroot(1), except that the isolation from the host OS is much more complete, a lot more secure and even easier to use
systemd-nspawn is capable of booting a complete systemd or sysvinit OS in container with a single command.
- Booting of the container can take less than 3 seconds.
Security[edit]
Can systemd-nspawn be made a secure jail? The following quote might be outdated and/or not reflect a "hardened container". Quote systemd lead developer:
Note however that this protects the host OS only from accidental changes of its parameters. A process in the container can manually remount the file systems read-writeable and then change whatever it wants to change.
What are these issues? Related to running root vs non-root inside the container? Can these security holes nowadays be closed?
Since we are inside a VM already, can containers be used for better security?
Quote systemd-nspawn man page:
--drop-capability=
Specify one or more additional capabilities to drop for the container. This allows running the container with fewer capabilities than the default (see above).
Quote https://wiki.archlinux.org/index.php/systemd-nspawn#Creating_private_users_(unprivileged_containers)
systemd-nspawn supports unprivileged containers,
Great!
, though the containers need to be booted as root.
That could be an OK limitation?
See also:
- https://unix.stackexchange.com/questions/145739/what-makes-systemd-nspawn-still-unsuitable-for-secure-container-setups
- https://opensource.com/business/14/7/docker-security-selinux
- https://people.kernel.org/brauner/runtimes-and-the-curse-of-the-privileged-container
Exit systemd-nspawn[edit]
To leave the chroot press keep holding key CTRL and press key 5 quickly 3 times within 1 second. [1]
See Also[edit]
- https://wiki.archlinux.org/index.php/systemd-nspawn
- https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html
LXC[edit]
mmdebstrap[edit]
mmdebstrap is a tool that can be used to securely create chroots.
Using debootstrap is insecure at times such as if APT is vulnerable and the fixed package only available from security.debian.org APT repository not the regular Debian repository because it can use only 1 APT repository at a time. And security.debian.org does not include all packages created to create a chroot.
A secure alternative is mmdebstrap. [2] See also other advantages of mmdebstrap.
TODO[edit]
- xchroot: chroot for users with Xorg/X11 forwarding and automatic mounting + aufs/unionfs read only root support.
- Needs cautious review. Same author as debcheckroot which does not do gpg signature verification of downloaded package metadata because thinks that's useless.
- Needs cautious review. Same author as debcheckroot
Footnotes[edit]
- ↑
https://unix.stackexchange.com/questions/577065/connected-to-container-mycontainer-press-three-times-within-1s-to-exit-sessi
- ↑ alternative is multistrap (might be outdated, author has no experience with it)
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!