Obtaining access to file in chroot environment from usual root...

acc_Wk · 08-01-2011, 01:13 AM

Hi,

I'm facing a problem with access to an iso file in chroot environment from my usual root (/) env..

Within the chroot environment I have an iso file placed... In my program I need to access this iso file and perform mount and other operations.. But I cant do this in the chroot environment as I have only basic commands here (ls,cp etc.. and no mount)

So how can I access this iso file from my program ? Is there something like a file-descriptor which I can associate with the file exit from the chroot env and access the file via this fd ?

Any help will be appreciated!!

markush · 08-01-2011, 01:23 AM

Hello acc Wk,

you should try to mount the isofile before chrooting. This should afaik work.

Markus

acc_Wk · 08-01-2011, 01:50 AM

Quote:

Originally Posted by markush

Hello acc Wk,

you should try to mount the isofile before chrooting. This should afaik work.

Markus

Hi Markus,

Thanks for your response.. But my query was how can I access this isofile from my program ? I need to pass this as an arg to mount cmd right, so how do I access this file from my normal env ? I am guessing I shouldnt just append the my chroot env dir manually and access the iso file.. Am I wrong here ?

Hope I'm not missing something very basic ?

markush · 08-01-2011, 03:47 AM

mh, I do not really understand what you're doing, could you please provide more information? Please give us an overview about your program and your requirements.

Markus

gnashley · 08-01-2011, 04:28 AM

Use losetup to associate the file to a device, then mount that device. You do some neat tricks with losetup -if you assign a device as above you can even mount something over its' parent path and the device will still be avaiable. Here's a little script I banged together to denonstrate to some a long time ago:

Code:

#!/bin/bash
# this script demonstrates how to access devices or files which are located
# somewhere that has been mounted later

# Just run './mount-tricks' to run the demo
# run './mount-tricks undo' to clean up mounts and loop device

if [[ $1 = undo ]] ; then
	umount /mnt/test2
	#umount /mnt/test1
	umount /dev/loop0
	losetup -d /dev/loop0
	rm -rf /mnt/test1 /mnt/test2 /mnt/looptest
	exit
fi

# create 3 mount points
echo "Creating /mnt/looptest /mnt/test1 /mnt/test2"
mkdir -p /mnt/looptest /mnt/test1 /mnt/test2

# make a small partition image to test with
echo "Creating a small partition image"
dd if=/dev/zero of=/mnt/test1/test.img bs=1k count=5120
echo "Formatting partition image"
echo y | mke2fs /mnt/test1/test.img

echo
echo
# associate the test image with loop0
echo "Setting up /mnt/test1/test.img on loop device /dev/loop0"
losetup /dev/loop0 /mnt/test1/test.img
# mount the looped image device on 
echo "Mounting the loop device on /mnt/test1"
mount -t ext2 /dev/loop0 /mnt/looptest
# copy some stuff in there
echo "Now creating a couple of test files /mnt/test1/testfile1 & /mnt/test1/testfile2"
echo testme > /mnt/looptest/testfile1
echo testmetoo > /mnt/looptest/testfile2
echo
# show the output
echo "ls /mnt/test1: (directory where the test.img is located"
ls /mnt/test1
echo "ls /mnt/looptest: (directory where the test.img is loop mounted"
ls /mnt/looptest
echo "contents of /mnt/looptest/testfile1:"
cat /mnt/looptest/testfile1
echo "contents of /mnt/looptest/testfile2:"
cat /mnt/looptest/testfile2
echo "Press ENTER to continue"
read


echo =====
# now mount with bind
echo "mounting /mnt/test1 using bind on /mnt/test2"
mount --bind /mnt/test1 /mnt/test2
echo "ls /mnt/test1:"
ls /mnt/test1
echo "ls /mnt/test2:"
ls /mnt/test2
echo "Here /mnt/test2 mirrors the contents of /mnt/test1"
echo "Press ENTER to continue"
read

#
echo "now mounting /mnt/test1 on tmpfs"
mount -t tmpfs tmpfs /mnt/test1
echo "ls /mnt/test1:"
ls /mnt/test1
echo "ls /mnt/test2:"
ls /mnt/test2
echo "ls /mnt/looptest:"
ls /mnt/looptest
echo "Now, when /mnt/test1 is mounted on tmpfs"
echo "the contents disappear there, but not in /mnt/test2"
echo "and the contents in the loop device are also still there"
echo "Press ENTER to continue"
read

echo =====
echo "Now creating a file under /mnt/test1 which is mounted on tmpfs"
echo testme3 > /mnt/test1/testfile3
echo "ls /mnt/test1:"
ls /mnt/test1
echo "ls /mnt/test2:"
ls /mnt/test2
echo "ls /mnt/looptest:"
ls /mnt/looptest

echo =====
echo "Now unmounting tmpfs"
umount /mnt/test1
echo "ls /mnt/test1:"
ls /mnt/test1
echo "ls /mnt/test2:"
ls /mnt/test2
echo "ls /mnt/looptest:"
ls /mnt/looptest
echo "After unmounting /mnt/test1 from tmpfs"
echo "The original contents are visble again,"
echo "and what was written there while mounted tmpfs is gone"
#mount -t tmpfs tmpfs /mnt/loop

acc_Wk · 08-01-2011, 06:57 AM

Quote:

Originally Posted by markush

mh, I do not really understand what you're doing, could you please provide more information? Please give us an overview about your program and your requirements.

Markus

Ok.. So I have this limited environment where I expose only basic cmds (ls,cp etc) and basic dirs [/home , /random ] for an unprivileged user on login..
- /random is a common dir shared by all users, where they are free to keep large files. One such case is when one wishes to keep an iso image here.
- This limited env is my chrooted env
- Now the unprivileged user calls a prog to install the iso..The iso will be given as input to the program as
/random/<image>.iso
- This program will run with root privilege.. In this program I would like to access the iso image to perform mount and other operations.. But the user has given the input from the "chroot"-ed env point of view..(/random/<image>.iso where / is /usr/tmp)... So when my program runs from a normal root env, how can I access the iso image (which is in the chroot env) ? Just appending /usr/tmp to what the user has given as input(/random/<image>.iso) seems like a trivial soln and I feel this isnt how a file in chrooted env should be accessed...

Hope that was clear.. Please let me know otherwise, will try to provide another eg..

Thanks for the help!!

ta0kira · 08-01-2011, 07:55 AM

You might try this:

Before calling chroot, create a fifo that's available in e.g. /random of the chroot environment. Make sure this can only be written to by the users that can run your program, and make it unreadable.
Run a root script that waits for input from this fifo as a daemon. Since it's root, it will be able to read from the fifo.
When input is received from the fifo, have the script execute the program with the appropriate options, possibly derived from the fifo input.
Within the chroot environment, have a script (to be called by the user) that sends the appropriate information to the fifo. The program will then be run as root in the real environment.

Quote:

Originally Posted by acc_Wk

Just appending /usr/tmp to what the user has given as input(/random/<image>.iso) seems like a trivial soln and I feel this isnt how a file in chrooted env should be accessed...

You could mount --bind /usr/tmp/random /random in the normal environment. This would require that the ISO be in /usr/tmp/random, though. In general, you should just be prepending /usr/tmp to the filenames, otherwise the chrooted users will have indirect access to the root filesystem. In this case it doesn't seem like that big of a deal, though.

Quote:

Originally Posted by acc_Wk

- Now the unprivileged user calls a prog to install the iso..The iso will be given as input to the program as
/random/<image>.iso
- This program will run with root privilege.. In this program I would like to access the iso image to perform mount and other operations.. But the user has given the input from the "chroot"-ed env point of view..(/random/<image>.iso where / is /usr/tmp)... So when my program runs from a normal root env, how can I access the iso image (which is in the chroot env) ? Just appending /usr/tmp to what the user has given as input(/random/<image>.iso) seems like a trivial soln and I feel this isnt how a file in chrooted env should be accessed...

These two things sound inconsistent with each other. This process was what I thought I was providing a solution for above.
Kevin Barry