iamroot - Emulate the syscall chroot(2) for unprivileged processes in userspace
Only a privileged process can run chroot(2).
iamroot(7) emulates the behaviour of the syscall chroot(2) for unprivileged users as far as their permissions grant it; it cannot overcome the lack for permissions such as reading or writing files that do not belong to the user, such as the files owned by root without a permissive access.
iamroot(7) consists of an ELF library to preload, and convenient shell scripts to setup an environment ready to run unprivileged processes calling chroot(2) and to workaround the impossible such as executing SUID or statically linked objects.
iamroot(7) emulates privileged syscalls such as chmod(2) or chown(2) and bypasses mount(2), umount(2) or unshare(2); it is not restricted to them.
A pathname starting with / is called an absolute pathname; otherwise it is called a relative pathname.
Every processes inherits two paths from its parent: - cwd for the current working directory - root for the root directory
The cwd is changed using chdir(2) or fchdir(2); the root is changed using chroot(2).
Both paths are readable in /proc/<pid>/cwd and /proc/<pid>/root.
[gportay@archlinux ~]$ readlink /proc/self/cwd
/home/gportay
[gportay@archlinux ~]$ readlink /proc/self/root
/See path_resolution(7) for a more thorough description of path resolution; in short, the root is prepended to absolute pathnames.
The library libiamroot.so is preloaded by ld.so(8) using LD_PRELOAD and intercepts the calls to libc(7) with a pathname in parameter. It resolves the pathname internally before calling the real symbol with the pathname modified.
If the process changes the root directory using chroot(2), the library intercepts the function and it DOES NOT call the real symbol then! Instead, the library stores the absolute path for the pathname given in parameter in the environment IAMROOT_ROOT. The library resolves every absolute pathname of the subsequent intercepted calls using this environment variable.
If the process changes the current working directory using either chdir(3p) or fchdir(3p), the library intercepts these functions as well and it checks if the process breaks from its "chroot jail". If it exits, the library resets the environment IAMROOT_ROOT and it resolves every absolute pathname of the subsequent calls to intercepted functions normally.
The library libiamroot.so does not gain the superuser permissions. As a consequence, some syscalls end with EACCESS or EPERM errors. The library handles the lack of permissions. Additionally, it works arround the impossible from withing the shell script exec.sh to run the SUID or statically linked objects.
iamroot(7) is tested regularly to make minimal linux rootfs with various package managers. Nevertheless, it is still a proof-of-concept, therefore expect the unexpectable!
Note: The library libiamroot.so replaces the couple fakechroot(1) and fakeroot(1).
Report bugs at https://github.com/gportay/iamroot/issues
Written by Gaël PORTAY [email protected]
Copyright (c) 2021,2023-2024 Gaël PORTAY
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 2.1 of the License, or (at your option) any later version.