View previous topic :: View next topic |
Author |
Message |
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1216
|
Posted: Mon Jan 02, 2023 4:46 pm Post subject: |
|
|
This way solved my problem definitely, I'm happy of the result
Just one thing left, I need to fix a permission problem.
I think the problem I encounter now is, because the process require sudo to run chroot, the script I run with the process have the privileges as well.
Is it possible to do a chroot as normal user ?
Actually when I call the process, it's like that:
Code: |
process = Process.run("sudo", args: [ "chroot",
Ism.settings.rootPath,
"./#{ISM::Default::Filename::Task}"],
output: :inherit,
error: :inherit,
shell: true) |
_________________ My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 932 Location: Richmond Hill, Canada
|
Posted: Mon Jan 02, 2023 5:10 pm Post subject: |
|
|
Fulgurance wrote: | This way solved my problem definitely, I'm happy of the result
Just one thing left, I need to fix a permission problem.
I think the problem I encounter now is, because the process require sudo to run chroot, the script I run with the process have the privileges as well.
Is it possible to do a chroot as normal user ?
Actually when I call the process, it's like that:
Code: |
process = Process.run("sudo", args: [ "chroot",
Ism.settings.rootPath,
"./#{ISM::Default::Filename::Task}"],
output: :inherit,
error: :inherit,
shell: true) |
|
It is possible to start a process as normal user which in turn run chroot(1). However you need to ask you self what are other constrains may be in your task(s) in the chrooted environment. I think some of LFS chapters require root privilege in order to complete.
Also another security design question, are you design your project with security in mind? how your code logic prevent other abuse the code and try to gain privilege without sysadmin approve?
With all the above in mind you can see man page for chroot(2) for detail. Code: | CHROOT(2) Linux Programmer's Manual CHROOT(2)
NAME
chroot - change root directory
SYNOPSIS
#include <unistd.h>
int chroot(const char *path);
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
chroot():
Since glibc 2.2.2:
_XOPEN_SOURCE && ! (_POSIX_C_SOURCE >= 200112L)
|| /* Since glibc 2.20: */ _DEFAULT_SOURCE
|| /* Glibc <= 2.19: */ _BSD_SOURCE
Before glibc 2.2.2:
none
DESCRIPTION
chroot() changes the root directory of the calling process to that specified in path. This directory will be used for path‐
names beginning with /. The root directory is inherited by all children of the calling process.
Only a privileged process (Linux: one with the CAP_SYS_CHROOT capability in its user namespace) may call chroot().
|
One can setup executable with capability use setcap(8 ) command. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21724
|
Posted: Mon Jan 02, 2023 6:07 pm Post subject: |
|
|
Unprivileged users are not permitted to call chroot. To use it, the caller must have the relevant capability in its current user namespace. Therefore, your options are:- Run as root, which absent other configuration tweaks will give you all capabilities.
- Run with the specific capability, as pingtoo showed.
- Start a user namespace, where you can pretend to be root and thus have the capability within your namespace.
Separately, you only need the capability to call chroot, not to be affected by it afterward. You could call chroot, then step down to a completely unprivileged user before executing the target process. The program /usr/bin/chroot offers command line options to do this, according to chroot --help. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1216
|
Posted: Tue Jan 03, 2023 4:42 pm Post subject: |
|
|
So some news:
First about security design, I try to do my best, because I keep that on my mind. But I try to make something working first, and after improve it. About the security, actually I try my software without any privilege elevation. And all installed dirs have just normal right. I do that to detect if some softwares try to install something somewhere there are not suppose to do.
Now about the bug I had with Libstdc++-Pass2, I found this come from privilege problem definitely.
When my software do a normal chroot like that:
Code: |
process = Process.run("sudo", args: [ "chroot",
Ism.settings.rootPath,
"./#{ISM::Default::Filename::Task}"],
output: :inherit,
error: :inherit,
shell: true) |
Everything are compiled properly, but I have an access denied at the end because the chroot changed some rights for some dirs.
But the problem is, if I set just a normal group like that:
Code: |
process = Process.run("sudo", args: [ "chroot",
"--userspec=nobody:nobody"
Ism.settings.rootPath,
"./#{ISM::Default::Filename::Task}"],
output: :inherit,
error: :inherit,
shell: true) |
and a normal user to compile, the compilation fail because it can't found some headers (I create a /etc/passwd and /etc/group files):
Code: | In file included from /sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:41,
from ../../../libstdc++-v3/src/c++17/floating_to_chars.cc:31:
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:58:11: error: 'fenv_t' has not been declared in '::'
58 | using ::fenv_t;
| ^~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:59:11: error: 'fexcept_t' has not been declared in '::'
59 | using ::fexcept_t;
| ^~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:62:11: error: 'feclearexcept' has not been declared in '::'
62 | using ::feclearexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:63:11: error: 'fegetexceptflag' has not been declared in '::'
63 | using ::fegetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:64:11: error: 'feraiseexcept' has not been declared in '::'
64 | using ::feraiseexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:65:11: error: 'fesetexceptflag' has not been declared in '::'
65 | using ::fesetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:66:11: error: 'fetestexcept' has not been declared in '::'
66 | using ::fetestexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:68:11: error: 'fegetround' has not been declared in '::'
68 | using ::fegetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:69:11: error: 'fesetround' has not been declared in '::'
69 | using ::fesetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:71:11: error: 'fegetenv' has not been declared in '::'
71 | using ::fegetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:72:11: error: 'feholdexcept' has not been declared in '::'
72 | using ::feholdexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:73:11: error: 'fesetenv' has not been declared in '::'
73 | using ::fesetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:74:11: error: 'feupdateenv' has not been declared in '::'
74 | using ::feupdateenv;
| ^~~~~~~~~~~
In file included from ../../../libstdc++-v3/src/c++17/floating_to_chars.cc:31:
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:61:11: error: 'fenv_t' has not been declared in '::'
61 | using ::fenv_t;
| ^~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:62:11: error: 'fexcept_t' has not been declared in '::'
62 | using ::fexcept_t;
| ^~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:65:11: error: 'feclearexcept' has not been declared in '::'
65 | using ::feclearexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:66:11: error: 'fegetexceptflag' has not been declared in '::'
66 | using ::fegetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:67:11: error: 'feraiseexcept' has not been declared in '::'
67 | using ::feraiseexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:68:11: error: 'fesetexceptflag' has not been declared in '::'
68 | using ::fesetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:69:11: error: 'fetestexcept' has not been declared in '::'
69 | using ::fetestexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:71:11: error: 'fegetround' has not been declared in '::'
71 | using ::fegetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:72:11: error: 'fesetround' has not been declared in '::'
72 | using ::fesetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:74:11: error: 'fegetenv' has not been declared in '::'
74 | using ::fegetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:75:11: error: 'feholdexcept' has not been declared in '::'
75 | using ::feholdexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:76:11: error: 'fesetenv' has not been declared in '::'
76 | using ::fesetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:77:11: error: 'feupdateenv' has not been declared in '::'
77 | using ::feupdateenv;
| ^~~~~~~~~~~
In file included from /sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:41,
from ../../../libstdc++-v3/src/c++17/floating_from_chars.cc:36:
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:58:11: error: 'fenv_t' has not been declared in '::'
58 | using ::fenv_t;
| ^~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:59:11: error: 'fexcept_t' has not been declared in '::'
59 | using ::fexcept_t;
| ^~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:62:11: error: 'feclearexcept' has not been declared in '::'
62 | using ::feclearexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:63:11: error: 'fegetexceptflag' has not been declared in '::'
63 | using ::fegetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:64:11: error: 'feraiseexcept' has not been declared in '::'
64 | using ::feraiseexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:65:11: error: 'fesetexceptflag' has not been declared in '::'
65 | using ::fesetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:66:11: error: 'fetestexcept' has not been declared in '::'
66 | using ::fetestexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:68:11: error: 'fegetround' has not been declared in '::'
68 | using ::fegetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:69:11: error: 'fesetround' has not been declared in '::'
69 | using ::fesetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:71:11: error: 'fegetenv' has not been declared in '::'
71 | using ::fegetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:72:11: error: 'feholdexcept' has not been declared in '::'
72 | using ::feholdexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:73:11: error: 'fesetenv' has not been declared in '::'
73 | using ::fesetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/fenv.h:74:11: error: 'feupdateenv' has not been declared in '::'
74 | using ::feupdateenv;
| ^~~~~~~~~~~
In file included from ../../../libstdc++-v3/src/c++17/floating_from_chars.cc:36:
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:61:11: error: 'fenv_t' has not been declared in '::'
61 | using ::fenv_t;
| ^~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:62:11: error: 'fexcept_t' has not been declared in '::'
62 | using ::fexcept_t;
| ^~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:65:11: error: 'feclearexcept' has not been declared in '::'
65 | using ::feclearexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:66:11: error: 'fegetexceptflag' has not been declared in '::'
66 | using ::fegetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:67:11: error: 'feraiseexcept' has not been declared in '::'
67 | using ::feraiseexcept;
| ^~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:68:11: error: 'fesetexceptflag' has not been declared in '::'
68 | using ::fesetexceptflag;
| ^~~~~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:69:11: error: 'fetestexcept' has not been declared in '::'
69 | using ::fetestexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:71:11: error: 'fegetround' has not been declared in '::'
71 | using ::fegetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:72:11: error: 'fesetround' has not been declared in '::'
72 | using ::fesetround;
| ^~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:74:11: error: 'fegetenv' has not been declared in '::'
74 | using ::fegetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:75:11: error: 'feholdexcept' has not been declared in '::'
75 | using ::feholdexcept;
| ^~~~~~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:76:11: error: 'fesetenv' has not been declared in '::'
76 | using ::fesetenv;
| ^~~~~~~~
/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/include/cfenv:77:11: error: 'feupdateenv' has not been declared in '::'
77 | using ::feupdateenv;
| ^~~~~~~~~~~
make[3]: *** [Makefile:577: floating_to_chars.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
make[3]: *** [Makefile:577: floating_from_chars.lo] Error 1
make[3]: Leaving directory '/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/src/c++17'
make[2]: *** [Makefile:765: all-recursive] Error 1
make[2]: Leaving directory '/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build/src'
make[1]: *** [Makefile:568: all-recursive] Error 1
make[1]: Leaving directory '/sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0/build'
make: *** [Makefile:493: all] Error 2
[!] Failed to run make in /sources/Libstdc++-Pass2/11.2.0/gcc-11.2.0///build |
I think it's because the user used for the chroot don't have enough privileges.
What do you think I have to set ?
Actually all dirs (outside the chroot) have this rights:
Code: | sudo chown -R zohran:zohran /mnt/ism |
This is the /etc/passwd:
Code: | nobody:x:1000:1001:nobody:/:/bin/bash |
and /etc/group of my generated system:
Any idea ? _________________ My actual project: https://github.com/Fulgurance/ISM
Ingenius Software Manager is a tool to build and manage a Linux system from scratch.
It will able to manage a linux installation just with a given path to the futur root path |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 932 Location: Richmond Hill, Canada
|
Posted: Tue Jan 03, 2023 7:16 pm Post subject: |
|
|
Fulgurance,
Usually missing header is due to prior build process failure to generate the missing header, and sometime those failure is due to permission issue, i.e. no read access at directory level or no write access to generate.
I have no seen in terms of system building design that change target destination permission to none-root user. May be there is known reason not to do that, but I don't know since I have not done any of those thing.
Another wild guess, May be you have mismatched version issue? since your build process expend multiple days could it possible you have slightly old version gcc that place file(s) in a versioned path that is not expected by newer version of code? |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Wed Jan 04, 2023 4:17 am Post subject: |
|
|
Hi, I don't quite understand what you're trying to do, but I'm going to comment
what I have been doing with my LFS/BLFS in case what I have seen is useful.
I am a gentoo user since 2008, I want to learn more in depth, so the next step is LFS/BLFS.
From gentoo using chroot I installed LFS/BLFS 11.2. (openbox)
When the versions began to be updated, the problems began, it is humanly impossible to update from
that way, so I set out to find out how to create my own binary packages with an administrator
of packages already made and extensively tested by the community.
I found several, pkgtools from slackware, sspm from Joe Packar, and pkgutils and its prt-get front-end from crux.
I ended up going with crux's pkgutils as it allows you to compile it static so that when you update
the system never breaks me pkgutils.
So far I have created 109 binary packages with pkgmk in a fakeroot environment in LFS/BLFS home
via chroot from gentoo.
Code: | myuser [ ~/adm ]$ revdep -v |head -n3
** calculating deps
** checking 109 ports
** checking linking |
The pkgutils pkgadd executable has the option -r, --root <path> specify alternative installation root
I think you can look at pkgutils and see if the -r <path> option works for what you want to use it for.
I have installed the crux ports, but I do not use them, just for reference, since I am creating
my own ports following the LFS/BLFS guidelines with my own changes...it's hard work, but
I am understanding package by package and its internals.
I create the packages from the LFS/BLFS home via chroot from gentoo using the fakeroot package installed in LFS/BLFS.
Code: | root [ ~ ]# su -l myuser
myuser [ ~ ]$ cd ~/adm/ports/blfs/unzip
myuser [ ~/adm/ports/blfs/unzip ]$ ls -la
total 24
drwxr-xr-x 2 myuser myuser 4096 ene 3 20:31 .
drwxrwxr-x 33 myuser myuser 4096 ene 3 19:57 ..
-rw-r--r-- 1 myuser myuser 611 ene 3 20:12 .footprint
-rw-r--r-- 1 myuser myuser 120 ene 3 20:31 .md5sum
-rw-r--r-- 1 myuser myuser 766 ene 3 20:31 Pkgfile
-rw-r--r-- 1 myuser myuser 413 ene 3 20:31 .signature
myuser [ ~/adm/ports/blfs/unzip ]$ fakeroot pkgmk -f -is |
My LFS/BLFS is fully functional booting from grub, but I'm still creating the binary packages and my own ports
from LFS/BLFS to soon be able to update with prt-get from crux using my own ports... or well, that's the idea.
Greetings. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|