Timeline for How do I tell I'm running in a chroot?
Current License: CC BY-SA 4.0
20 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| S Apr 5, 2020 at 20:42 | history | suggested | Pablo A | CC BY-SA 4.0 |
Improved formatting
|
| Apr 5, 2020 at 18:51 | review | Suggested edits | |||
| S Apr 5, 2020 at 20:42 | |||||
| Mar 14, 2019 at 13:52 | comment | added | Toby Speight |
Nice answer; I managed to avoid the subshell substitutions and [/test with a simple awk command: if stat -c %d:%i / /proc/1/root/. | awk -v RS= '{ exit $1 != $2; }'; then (setting record separator to empty string automatically makes newline a field separator). Even easier if your test has the -ef (same file) comparison!
|
|
| Jan 11, 2018 at 19:00 | comment | added | Gilles 'SO- stop being evil' |
@Vouze No, having /proc mounted is not a security flaw, because chroot alone is not a security mechanism. You can get security from chroot only if the processes running in the chroot run with separate user IDs from processes running outside the chroot. Otherwise chroot does not protect you, for example, from a process that kills or ptraces another process that's running outside the chroot. In that case /proc/$pid/root does not permit bypassing the chroot.
|
|
| Jan 11, 2018 at 9:55 | comment | added | Vouze | Having /proc mounted is clearly a security flow, as you can access the real root throw "ls -l /proc/1/root/." | |
| Jun 10, 2017 at 19:17 | comment | added | Gilles 'SO- stop being evil' |
@sbhatla To compare them. The information a single mountinfo file isn't a good test for the process being chrooted. But if the information differs for process 1 and for the running process, that shows that the running process is running in a different root from process 1.
|
|
| Jun 10, 2017 at 4:12 | comment | added | sbhatla |
You mention checking mountinfo for both PID ## and 1. Why?
|
|
| Jan 14, 2016 at 3:02 | comment | added | Adam D. |
@Gilles There is mount_procfs, you can then use ps and grep to find the init pid.
|
|
| Jan 14, 2016 at 2:49 | comment | added | Adam D. |
Well done, I had to add sudo for perm on my system, here is your idea in an alias: alias ischroot='[ "$(sudo stat -c %d:%i /)" != "$(sudo stat -c %d:%i /proc/1/root/)" ] && echo "Yes, we are chrooted!" || echo "No chroot detected."'
|
|
| Jan 16, 2015 at 17:11 | comment | added | Adam Katz | @Gilles I figured OpenBSD would have this defeated in some manner or other. Still, I'm surprised that all of those special role items aren't capable of being applied to an arbitrary PID (without consequences), which is what I meant in my italicized "why" earlier. | |
| Jan 16, 2015 at 11:43 | history | edited | Gilles 'SO- stop being evil' | CC BY-SA 3.0 |
added 187 characters in body
|
| Jan 16, 2015 at 11:40 | comment | added | Gilles 'SO- stop being evil' |
@AdamKatz It's the opposite: pid 1 has a special role (it must reap zombies, and it is immune to SIGKILL). The init program is an implementation of that role. The reason my answer doesn't work in OpenBSD has nothing to do with this: it's because OpenBSD doesn't have anything like Solaris/Linux's /proc. My answer wasn't meant to address anything but Linux anyway.
|
|
| Jan 16, 2015 at 10:02 | comment | added | Adam Katz |
@muru: aw, shucks. You've shot me down. I'm not sure why init(8) would absolutely need to have the #1 slot unless there's some kind of hard-coded nature that requires it (in which I'd still be unsure as to why). Of course, the BSDs have much more advanced jails than just chroot, so I'm not even sure how problematic this is.
|
|
| Jan 16, 2015 at 9:40 | comment | added | muru | @AdamKatz "... with a couple of obvious exceptions, e.g., init(8)." So which is it? | |
| Jan 16, 2015 at 5:59 | comment | added | Adam Katz | This won't work in OpenBSD because it has random PIDs; the root process is basically never PID 1. Now you know why! | |
| Jun 19, 2013 at 17:40 | history | edited | Gilles 'SO- stop being evil' | CC BY-SA 3.0 |
`stat -Lc %d:%i /proc/1/root` is used in udev's postinst since 2005
|
| May 29, 2012 at 17:31 | vote | accept | Gilles 'SO- stop being evil' | ||
| May 29, 2012 at 17:31 | vote | accept | Gilles 'SO- stop being evil' | ||
| May 29, 2012 at 17:31 | |||||
| Nov 9, 2011 at 19:11 | history | edited | Gilles 'SO- stop being evil' | CC BY-SA 3.0 |
added mountinfo method
|
| Jun 3, 2011 at 16:55 | history | answered | Gilles 'SO- stop being evil' | CC BY-SA 3.0 |