5

While I can simply have e.g. sshd in a chroot environment ("chrootenv") listen to a different port than its parent ("parentenv"), it would be more convenient to have that environment have an additional IP and hostname and have sshd listen to that IP's port 22. So basically I'd like to set up a chroot environment such that it behaves like a separate host in the network. How can this be achieved? Or is this something LXC or user-mode Linux (which I lack experience with) is better suited for?

Gilles 'SO- stop being evil'
  • 829,060
Tobias Kienzler
  • 9,374

2 Answers2

8

Normally, chroot is about "limiting privileges", not granting users their own IF to play with...

But in any case: if you feel like doing some work, you may start your chroot environment within a new network namespace. You find an introduction here. Then the last command, the one that places you into the new network namespace, which in the guide above is 

 ip netns exec NAME_OF_THE_NET_NS /bin/bash

can be followed by the usual set of commands, 

sudo mount -o bind /proc /pathtochroot/proc
sudo mount -o bind /dev /pathtochroot/dev
sudo mount -o bind /dev/pts /pathtochroot/dev/pts
sudo mount -o bind /sys /pathtochroot/sys
sudo chroot /pathtochroot /bin/bash

and now you have your chroot with an IF.

But the question that follows is: don't you think that using a Linux container (LXC, OpenVZ,VServer) would be faster and simpler? Isn't a chroot with an interface the very same thing as a Linux container? Generally, when security issues are no concern, that's the way I go.

Edit:

Ok, I see your plight. Still, there is one possibility. Make two virtual interfaces on the same card, and make sure they both get an IP address from your DHCP. Now configure ssh to bind to one of them. You can do this both for the ssh client and for the ssh server. For the client, the instruction is

 ssh -b ip.address.tobin.to

while for the server you need to use the instruction 

 ListenAddress ip.address.tobind.to

in the file /etc/ssh/sshd_config. This way you have forced the host to use only one interface. Then enter the chroot jail, and use the other interface. I am shaky on busybox capabilites, so I cannot state categorically that this will work. But it would work, if this were a chroot jail in a normal pc.

MariusMatutiae
  • 4,372
  • 1
  • 25
  • 36
  • Thanks for your answer. The main reason I'm trying to do this with chroot is that it's a very limited system (the Linux on a Buffalo LinkStation NAS) with no package manager, so I want to "amiplify" it's functionality with Gentoo. Unfortunately, it also only comes with busybox (1.7), the ip command of which doesn't support netns... I'm pretty sure that the kernel doesn't support LXC, though the lack of source files makes that rather difficult (impossible?) to determine without compiling it. – Tobias Kienzler Nov 05 '13 at 08:00
  • Unfortunately the chrooted Gentoo's ip netns add gentoo yields a Failed to create a new network namespace "gentoo": Invalid argument - I guess that means the host kernel doesn't support net namespaces :( – Tobias Kienzler Nov 07 '13 at 08:28
  • Does it have netcat? And a named pipe? Or alternatively iptables? – MariusMatutiae Nov 07 '13 at 09:32
  • It has busybox 1.7.0's nc and mkfifo, if they provide enough functionality: nc supports [-iN] [-wN] [-l] [-p PORT] [-f FILENAME|IPADDR PORTNUM] [-e COMMAND] and mkfifo -m – Tobias Kienzler Nov 07 '13 at 10:47
  • As a sidenote, ip addr add ... does work, so if I accept that the host can also "see" the additional IP all I need to do is figure out how to make the host sshd ignore the secondary IP while the chrooted one shall listed to that one's port 22 – Tobias Kienzler Nov 07 '13 at 11:21
  • @Tobias Kienzler I have edited my answer to take into account what you told me. Hope it works. – MariusMatutiae Nov 07 '13 at 17:18
0

This tool could be handy:

chname Run command or interactive shell with a new system hostname

SYNOPSIS

chname hostname [command ...] DESCRIPTION

Create a new utsname namespace with a new system hostname and execute command. This is particularly useful for creating a chroot that has a hostname independent of the rest of the system.

This capability requires Linux 2.6.19 or later with CONFIG_UTS_NS=y.

works like a charm. The advantage over the recipe in the answer proposed by @MariusMatutiae is that it does not require to set up the namespace (add veth's e.t.c). The disadvantage - it does not allow to assign a separate IP address to the chrooted environment

Serge
  • 8,541