How to achieve the effect of chroot in userspace in Linux (without being root)?
Clash Royale CLAN TAG#URR8PPP
up vote
5
down vote
favorite
The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .
fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).
not-root-user virtualization chroot jails
add a comment |Â
up vote
5
down vote
favorite
The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .
fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).
not-root-user virtualization chroot jails
Cf. unix.stackexchange.com/questions/66084/â¦
â imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00
add a comment |Â
up vote
5
down vote
favorite
up vote
5
down vote
favorite
The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .
fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).
not-root-user virtualization chroot jails
The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .
fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).
not-root-user virtualization chroot jails
not-root-user virtualization chroot jails
asked Apr 17 '13 at 3:00
imz -- Ivan Zakharyaschev
6,10394089
6,10394089
Cf. unix.stackexchange.com/questions/66084/â¦
â imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00
add a comment |Â
Cf. unix.stackexchange.com/questions/66084/â¦
â imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00
Cf. unix.stackexchange.com/questions/66084/â¦
â imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00
Cf. unix.stackexchange.com/questions/66084/â¦
â imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
9
down vote
accepted
The solution must probably be based either on ptrace or namespaces (unshare).
ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).
ptrace-based
UMView
As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:
- http://wiki.virtualsquare.org/wiki/index.php/ViewFS
- http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software
The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).
umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.
"Confining programs"
Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.
They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")
However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...
geordi
Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.
proot
PRoot is a ready to use ptrace-based tool for this. http://proot.me/:
chroot equivalent
To execute a command inside a given Linux distribution, just give
proot the path to the guest rootfs followed by the desired command.
The example below executes the program cat to print the content of a
file:proot -r /mnt/slackware-8.0/ cat /etc/motd
Welcome to Slackware Linux 8.0
The default command is /bin/sh when none is specified. Thus the
shortest way to confine an interactive shell and all its sub-programs
is:proot -r /mnt/slackware-8.0/
$ cat /etc/motd
Welcome to Slackware Linux 8.0
unshare-based
user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot
as a normal with the help of unshare
like in Simulate chroot with unshare:
unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
1
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
add a comment |Â
up vote
1
down vote
You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
The solution must probably be based either on ptrace or namespaces (unshare).
ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).
ptrace-based
UMView
As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:
- http://wiki.virtualsquare.org/wiki/index.php/ViewFS
- http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software
The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).
umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.
"Confining programs"
Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.
They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")
However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...
geordi
Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.
proot
PRoot is a ready to use ptrace-based tool for this. http://proot.me/:
chroot equivalent
To execute a command inside a given Linux distribution, just give
proot the path to the guest rootfs followed by the desired command.
The example below executes the program cat to print the content of a
file:proot -r /mnt/slackware-8.0/ cat /etc/motd
Welcome to Slackware Linux 8.0
The default command is /bin/sh when none is specified. Thus the
shortest way to confine an interactive shell and all its sub-programs
is:proot -r /mnt/slackware-8.0/
$ cat /etc/motd
Welcome to Slackware Linux 8.0
unshare-based
user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot
as a normal with the help of unshare
like in Simulate chroot with unshare:
unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
1
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
add a comment |Â
up vote
9
down vote
accepted
The solution must probably be based either on ptrace or namespaces (unshare).
ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).
ptrace-based
UMView
As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:
- http://wiki.virtualsquare.org/wiki/index.php/ViewFS
- http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software
The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).
umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.
"Confining programs"
Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.
They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")
However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...
geordi
Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.
proot
PRoot is a ready to use ptrace-based tool for this. http://proot.me/:
chroot equivalent
To execute a command inside a given Linux distribution, just give
proot the path to the guest rootfs followed by the desired command.
The example below executes the program cat to print the content of a
file:proot -r /mnt/slackware-8.0/ cat /etc/motd
Welcome to Slackware Linux 8.0
The default command is /bin/sh when none is specified. Thus the
shortest way to confine an interactive shell and all its sub-programs
is:proot -r /mnt/slackware-8.0/
$ cat /etc/motd
Welcome to Slackware Linux 8.0
unshare-based
user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot
as a normal with the help of unshare
like in Simulate chroot with unshare:
unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
1
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
add a comment |Â
up vote
9
down vote
accepted
up vote
9
down vote
accepted
The solution must probably be based either on ptrace or namespaces (unshare).
ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).
ptrace-based
UMView
As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:
- http://wiki.virtualsquare.org/wiki/index.php/ViewFS
- http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software
The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).
umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.
"Confining programs"
Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.
They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")
However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...
geordi
Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.
proot
PRoot is a ready to use ptrace-based tool for this. http://proot.me/:
chroot equivalent
To execute a command inside a given Linux distribution, just give
proot the path to the guest rootfs followed by the desired command.
The example below executes the program cat to print the content of a
file:proot -r /mnt/slackware-8.0/ cat /etc/motd
Welcome to Slackware Linux 8.0
The default command is /bin/sh when none is specified. Thus the
shortest way to confine an interactive shell and all its sub-programs
is:proot -r /mnt/slackware-8.0/
$ cat /etc/motd
Welcome to Slackware Linux 8.0
unshare-based
user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot
as a normal with the help of unshare
like in Simulate chroot with unshare:
unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1
The solution must probably be based either on ptrace or namespaces (unshare).
ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).
ptrace-based
UMView
As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:
- http://wiki.virtualsquare.org/wiki/index.php/ViewFS
- http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software
The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).
umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.
"Confining programs"
Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.
They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")
However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...
geordi
Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.
proot
PRoot is a ready to use ptrace-based tool for this. http://proot.me/:
chroot equivalent
To execute a command inside a given Linux distribution, just give
proot the path to the guest rootfs followed by the desired command.
The example below executes the program cat to print the content of a
file:proot -r /mnt/slackware-8.0/ cat /etc/motd
Welcome to Slackware Linux 8.0
The default command is /bin/sh when none is specified. Thus the
shortest way to confine an interactive shell and all its sub-programs
is:proot -r /mnt/slackware-8.0/
$ cat /etc/motd
Welcome to Slackware Linux 8.0
unshare-based
user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot
as a normal with the help of unshare
like in Simulate chroot with unshare:
unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1
edited May 23 '17 at 12:40
Communityâ¦
1
1
answered Apr 17 '13 at 3:11
imz -- Ivan Zakharyaschev
6,10394089
6,10394089
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
1
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
add a comment |Â
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
1
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
You ask and answer simultaneosly?
â Hauke Laging
Apr 17 '13 at 4:22
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging It's encouraged if you think the info will be useful for others
â Michael Mrozekâ¦
Apr 17 '13 at 23:35
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
@HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
â imz -- Ivan Zakharyaschev
Apr 20 '13 at 13:11
1
1
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
â user2303
Sep 30 '16 at 13:45
add a comment |Â
up vote
1
down vote
You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.
add a comment |Â
up vote
1
down vote
You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.
You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.
answered Aug 16 at 22:30
Billy
72116
72116
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f72696%2fhow-to-achieve-the-effect-of-chroot-in-userspace-in-linux-without-being-root%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Cf. unix.stackexchange.com/questions/66084/â¦
â imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00