Is it possible to run a process in chroot with virtual /proc filesystem under Linux?











up vote
1
down vote

favorite












I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc







share|improve this question




















  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09















up vote
1
down vote

favorite












I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc







share|improve this question




















  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc







share|improve this question















I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc




linux linux-kernel chroot proc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 21 '17 at 2:09









user unknown

1,4491123




1,4491123










asked Mar 21 '17 at 0:30









user4674453

61




61








  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09














  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09








1




1




Any particular reason for trying to achieve such behavior?
– ddnomad
Mar 21 '17 at 1:31




Any particular reason for trying to achieve such behavior?
– ddnomad
Mar 21 '17 at 1:31












a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
– quixotic
Mar 21 '17 at 4:09




a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
– quixotic
Mar 21 '17 at 4:09










2 Answers
2






active

oldest

votes

















up vote
0
down vote













It is possible to mount /proc in a chroot environment - see this answer for more on that.



I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






share|improve this answer





















  • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Mar 21 '17 at 4:00










  • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Mar 21 '17 at 4:06










  • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Mar 21 '17 at 4:14










  • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Mar 21 '17 at 22:36




















up vote
0
down vote













You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1190640%2fis-it-possible-to-run-a-process-in-chroot-with-virtual-proc-filesystem-under-li%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






    share|improve this answer





















    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36

















    up vote
    0
    down vote













    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






    share|improve this answer





















    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36















    up vote
    0
    down vote










    up vote
    0
    down vote









    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






    share|improve this answer












    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Mar 21 '17 at 3:13









    davidgo

    41.5k74985




    41.5k74985












    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36




















    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36


















    mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Mar 21 '17 at 4:00




    mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Mar 21 '17 at 4:00












    @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Mar 21 '17 at 4:06




    @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Mar 21 '17 at 4:06












    agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Mar 21 '17 at 4:14




    agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Mar 21 '17 at 4:14












    > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Mar 21 '17 at 22:36






    > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Mar 21 '17 at 22:36














    up vote
    0
    down vote













    You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
    Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






    share|improve this answer

























      up vote
      0
      down vote













      You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
      Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
        Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






        share|improve this answer












        You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
        Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 19 at 20:51









        lynx

        12




        12






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1190640%2fis-it-possible-to-run-a-process-in-chroot-with-virtual-proc-filesystem-under-li%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Сан-Квентин

            Image
            Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
            Read more

            Алькесар

            Image
            Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
            Read more

            Josef Freinademetz

            Image
            San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
            Read more