Re: jailrooting services with RootDirectory - how ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 28 Sep 2022 19:07:14 +1000 (AEST)
Michael Chapman <mike@xxxxxxxxxxxxxxxxx> wrote:

1. ExecSTart is relative to RootDirectory (at least for me).

2. I've just simpliefied my service file to equal yours - simle static
executable in RootDirectory inside /tmp. It works.
But I can't bind-mount nothing inside tmpfs, so it's kind of
pointless...
Try it with chroot somewhere on your disk, e.d. /chroots map or
something and make the service bind-mount executable there.
Like BindPaths=/abssolute/path/to/my_debug-exec:absolute path_into
chroot

and see if it works.


> On Wed, 28 Sep 2022, Branko wrote:
> > OK. You have bound one path. Is the executable  within it or is it
> > irrelevant for the case ( and the executable is in /tmp) ?  
> 
> No, the executable was in the chroot's root directory. That's why I 
> referred to it with:
> 
>     ExecStart=/hello
> 
> You could put the executable in a subdirectory if you wanted. But if 
> you were to place the binary at, say:
> 
>     ExecStart=/usr/bin/hello
> 
> -- again, relative to the chroot's root directory -- then using:
> 
>     BindReadOnlyPaths=/usr
> 
> would not work.
> 
> But... why would you do that? I can't think of any reason for bind 
> mounting an ancestor of the chroot's root directory into the chroot 
> itself.
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux