mkdogeroot is a script that prepares a system to provide pseudo-root access to a user.
$ sudo mkdogeroot.sh -u test -b /home/chrootbin -c /mnt dataWhere:
-u testis the user authorized to become root-b /home/chrootbinis the path tosudoscripts to becomeroot-c /mntis the directory where tochrootdatais an additional mointpoint, it will be mounted as/dataon thechroot
The user will have to launch the following command to enter pseudo-root mode:
$ sudo /home/chrootbin/broot
#mkdogeroot.sh will create 3 scripts:
/home/chrootbin/brootis the command the user will type to "become root", it usesunshareto hide the real filesystem to thechroot/home/chrootbin/mkchrootis thechrootcreation, invoked bybroot, it creates the fake filesystem if it does not exist yet and mounts necessary mountpoints/home/chrootbin/rmrootmust be called when the user doesn't need root anymore
mkdogeroot.sh adds a line to /etc/sudoers, for example:
test ALL=(ALL) NOPASSWD: /home/chrootbin/mkchroot, /home/chrootbin/brootAllowing the user test to run /home/chrootbin/broot
Regular system directories (bin boot sbin lib lib64 media mnt opt sbin srv usr var) are mounted read only.
Dynamic directories (proc sys dev run) are mounted read / write.
Additional directories (data) are mounted read / write.
In order to see all processes inside the chroot when grsecurity is enabled, a grsec feature must be disabled:
$ sudo sysctl -w kernel.grsecurity.chroot_findtask=0- Copy
mkdogeroot.shto the target machine
$ scp mkdogeroot.sh customer633:- Deploy the scripts
$ sudo ./mkdogeroot.sh -u www -b /home/chrootbin -c /mnt data- Test
$ sudo su - www
$ sudo /home/chrootbin/broot
# ps axuww- Check that you can see all the processes
- Optionally remove
mkdogeroot
$ rm mkdogeroot.shrmroot umounts remaining mount points if any, removes them, and delete the
user broot command from /etc/sudoers.