How to achieve the effect of chroot in userspace in Linux (without being root)?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite
2












The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .



fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).










share|improve this question





















  • Cf. unix.stackexchange.com/questions/66084/…
    – imz -- Ivan Zakharyaschev
    Apr 17 '13 at 3:00














up vote
5
down vote

favorite
2












The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .



fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).










share|improve this question





















  • Cf. unix.stackexchange.com/questions/66084/…
    – imz -- Ivan Zakharyaschev
    Apr 17 '13 at 3:00












up vote
5
down vote

favorite
2









up vote
5
down vote

favorite
2






2





The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .



fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).










share|improve this question













The goal is to install and run programs in a displaced (relocated) distro (whose / must not coincide with the global /) inside a host Linux system. The programs are not adapted for using a different / .



fakechroot is not a complete solution because it employs library-substitution instead of acting on the level of system calls (so not good for statically linked binaries).







not-root-user virtualization chroot jails






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 17 '13 at 3:00









imz -- Ivan Zakharyaschev

6,10394089




6,10394089











  • Cf. unix.stackexchange.com/questions/66084/…
    – imz -- Ivan Zakharyaschev
    Apr 17 '13 at 3:00
















  • Cf. unix.stackexchange.com/questions/66084/…
    – imz -- Ivan Zakharyaschev
    Apr 17 '13 at 3:00















Cf. unix.stackexchange.com/questions/66084/…
– imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00




Cf. unix.stackexchange.com/questions/66084/…
– imz -- Ivan Zakharyaschev
Apr 17 '13 at 3:00










2 Answers
2






active

oldest

votes

















up vote
9
down vote



accepted










The solution must probably be based either on ptrace or namespaces (unshare).



ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).



ptrace-based



UMView



As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:



  • http://wiki.virtualsquare.org/wiki/index.php/ViewFS

  • http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software

The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).



umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.



"Confining programs"



Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.



They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")



However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...



geordi



Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.



proot



PRoot is a ready to use ptrace-based tool for this. http://proot.me/:




chroot equivalent



To execute a command inside a given Linux distribution, just give
proot the path to the guest rootfs followed by the desired command.
The example below executes the program cat to print the content of a
file:



proot -r /mnt/slackware-8.0/ cat /etc/motd

Welcome to Slackware Linux 8.0


The default command is /bin/sh when none is specified. Thus the
shortest way to confine an interactive shell and all its sub-programs
is:



proot -r /mnt/slackware-8.0/

$ cat /etc/motd
Welcome to Slackware Linux 8.0



unshare-based



user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot as a normal with the help of unshare like in Simulate chroot with unshare:



unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1





share|improve this answer






















  • You ask and answer simultaneosly?
    – Hauke Laging
    Apr 17 '13 at 4:22










  • @HaukeLaging It's encouraged if you think the info will be useful for others
    – Michael Mrozek♦
    Apr 17 '13 at 23:35











  • @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
    – imz -- Ivan Zakharyaschev
    Apr 20 '13 at 13:11






  • 1




    bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
    – user2303
    Sep 30 '16 at 13:45

















up vote
1
down vote













You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f72696%2fhow-to-achieve-the-effect-of-chroot-in-userspace-in-linux-without-being-root%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    9
    down vote



    accepted










    The solution must probably be based either on ptrace or namespaces (unshare).



    ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).



    ptrace-based



    UMView



    As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:



    • http://wiki.virtualsquare.org/wiki/index.php/ViewFS

    • http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software

    The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).



    umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.



    "Confining programs"



    Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.



    They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")



    However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...



    geordi



    Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.



    proot



    PRoot is a ready to use ptrace-based tool for this. http://proot.me/:




    chroot equivalent



    To execute a command inside a given Linux distribution, just give
    proot the path to the guest rootfs followed by the desired command.
    The example below executes the program cat to print the content of a
    file:



    proot -r /mnt/slackware-8.0/ cat /etc/motd

    Welcome to Slackware Linux 8.0


    The default command is /bin/sh when none is specified. Thus the
    shortest way to confine an interactive shell and all its sub-programs
    is:



    proot -r /mnt/slackware-8.0/

    $ cat /etc/motd
    Welcome to Slackware Linux 8.0



    unshare-based



    user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot as a normal with the help of unshare like in Simulate chroot with unshare:



    unshare --user --map-root-user --mount-proc --pid --fork
    chroot ......
    su - user1





    share|improve this answer






















    • You ask and answer simultaneosly?
      – Hauke Laging
      Apr 17 '13 at 4:22










    • @HaukeLaging It's encouraged if you think the info will be useful for others
      – Michael Mrozek♦
      Apr 17 '13 at 23:35











    • @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
      – imz -- Ivan Zakharyaschev
      Apr 20 '13 at 13:11






    • 1




      bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
      – user2303
      Sep 30 '16 at 13:45














    up vote
    9
    down vote



    accepted










    The solution must probably be based either on ptrace or namespaces (unshare).



    ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).



    ptrace-based



    UMView



    As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:



    • http://wiki.virtualsquare.org/wiki/index.php/ViewFS

    • http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software

    The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).



    umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.



    "Confining programs"



    Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.



    They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")



    However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...



    geordi



    Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.



    proot



    PRoot is a ready to use ptrace-based tool for this. http://proot.me/:




    chroot equivalent



    To execute a command inside a given Linux distribution, just give
    proot the path to the guest rootfs followed by the desired command.
    The example below executes the program cat to print the content of a
    file:



    proot -r /mnt/slackware-8.0/ cat /etc/motd

    Welcome to Slackware Linux 8.0


    The default command is /bin/sh when none is specified. Thus the
    shortest way to confine an interactive shell and all its sub-programs
    is:



    proot -r /mnt/slackware-8.0/

    $ cat /etc/motd
    Welcome to Slackware Linux 8.0



    unshare-based



    user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot as a normal with the help of unshare like in Simulate chroot with unshare:



    unshare --user --map-root-user --mount-proc --pid --fork
    chroot ......
    su - user1





    share|improve this answer






















    • You ask and answer simultaneosly?
      – Hauke Laging
      Apr 17 '13 at 4:22










    • @HaukeLaging It's encouraged if you think the info will be useful for others
      – Michael Mrozek♦
      Apr 17 '13 at 23:35











    • @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
      – imz -- Ivan Zakharyaschev
      Apr 20 '13 at 13:11






    • 1




      bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
      – user2303
      Sep 30 '16 at 13:45












    up vote
    9
    down vote



    accepted







    up vote
    9
    down vote



    accepted






    The solution must probably be based either on ptrace or namespaces (unshare).



    ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).



    ptrace-based



    UMView



    As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:



    • http://wiki.virtualsquare.org/wiki/index.php/ViewFS

    • http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software

    The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).



    umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.



    "Confining programs"



    Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.



    They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")



    However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...



    geordi



    Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.



    proot



    PRoot is a ready to use ptrace-based tool for this. http://proot.me/:




    chroot equivalent



    To execute a command inside a given Linux distribution, just give
    proot the path to the guest rootfs followed by the desired command.
    The example below executes the program cat to print the content of a
    file:



    proot -r /mnt/slackware-8.0/ cat /etc/motd

    Welcome to Slackware Linux 8.0


    The default command is /bin/sh when none is specified. Thus the
    shortest way to confine an interactive shell and all its sub-programs
    is:



    proot -r /mnt/slackware-8.0/

    $ cat /etc/motd
    Welcome to Slackware Linux 8.0



    unshare-based



    user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot as a normal with the help of unshare like in Simulate chroot with unshare:



    unshare --user --map-root-user --mount-proc --pid --fork
    chroot ......
    su - user1





    share|improve this answer














    The solution must probably be based either on ptrace or namespaces (unshare).



    ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).



    ptrace-based



    UMView



    As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:



    • http://wiki.virtualsquare.org/wiki/index.php/ViewFS

    • http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software

    The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).



    umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.



    "Confining programs"



    Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.



    They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")



    However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...



    geordi



    Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.



    proot



    PRoot is a ready to use ptrace-based tool for this. http://proot.me/:




    chroot equivalent



    To execute a command inside a given Linux distribution, just give
    proot the path to the guest rootfs followed by the desired command.
    The example below executes the program cat to print the content of a
    file:



    proot -r /mnt/slackware-8.0/ cat /etc/motd

    Welcome to Slackware Linux 8.0


    The default command is /bin/sh when none is specified. Thus the
    shortest way to confine an interactive shell and all its sub-programs
    is:



    proot -r /mnt/slackware-8.0/

    $ cat /etc/motd
    Welcome to Slackware Linux 8.0



    unshare-based



    user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot as a normal with the help of unshare like in Simulate chroot with unshare:



    unshare --user --map-root-user --mount-proc --pid --fork
    chroot ......
    su - user1






    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited May 23 '17 at 12:40









    Community♦

    1




    1










    answered Apr 17 '13 at 3:11









    imz -- Ivan Zakharyaschev

    6,10394089




    6,10394089











    • You ask and answer simultaneosly?
      – Hauke Laging
      Apr 17 '13 at 4:22










    • @HaukeLaging It's encouraged if you think the info will be useful for others
      – Michael Mrozek♦
      Apr 17 '13 at 23:35











    • @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
      – imz -- Ivan Zakharyaschev
      Apr 20 '13 at 13:11






    • 1




      bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
      – user2303
      Sep 30 '16 at 13:45
















    • You ask and answer simultaneosly?
      – Hauke Laging
      Apr 17 '13 at 4:22










    • @HaukeLaging It's encouraged if you think the info will be useful for others
      – Michael Mrozek♦
      Apr 17 '13 at 23:35











    • @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
      – imz -- Ivan Zakharyaschev
      Apr 20 '13 at 13:11






    • 1




      bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
      – user2303
      Sep 30 '16 at 13:45















    You ask and answer simultaneosly?
    – Hauke Laging
    Apr 17 '13 at 4:22




    You ask and answer simultaneosly?
    – Hauke Laging
    Apr 17 '13 at 4:22












    @HaukeLaging It's encouraged if you think the info will be useful for others
    – Michael Mrozek♦
    Apr 17 '13 at 23:35





    @HaukeLaging It's encouraged if you think the info will be useful for others
    – Michael Mrozek♦
    Apr 17 '13 at 23:35













    @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
    – imz -- Ivan Zakharyaschev
    Apr 20 '13 at 13:11




    @HaukeLaging As I posed this question to myself (and started writing the question down), I started searching for the solutions, so very soon I got already an understanding of the possible solutions, and wrote that down as an answer. A bit later I discoveren one more tool to do this (proot), perhaps the most convenient, and added it to the answer.
    – imz -- Ivan Zakharyaschev
    Apr 20 '13 at 13:11




    1




    1




    bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
    – user2303
    Sep 30 '16 at 13:45




    bubblewrap is a really nice unshare-based chroot/mount --bind replacement: github.com/projectatomic/bubblewrap
    – user2303
    Sep 30 '16 at 13:45












    up vote
    1
    down vote













    You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.






    share|improve this answer
























      up vote
      1
      down vote













      You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.






      share|improve this answer






















        up vote
        1
        down vote










        up vote
        1
        down vote









        You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.






        share|improve this answer












        You could try User-Mode Linux. The code for building such a kernel is now present in the mainstream sources, and you can find (outdated) precompiled builds on the page I linked.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Aug 16 at 22:30









        Billy

        72116




        72116



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f72696%2fhow-to-achieve-the-effect-of-chroot-in-userspace-in-linux-without-being-root%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?