Can we do chroot against a btrfs snapshot?

If none of the more specific forums is the right place to ask

Can we do chroot against a btrfs snapshot?

Postby bester69 » 2020-10-26 14:05

Hi,

Can we do chroot against a btrfs system volume snapshot?... Can we do this in order to; for example, build an application (installing dev packages and build the deb)..
or run an isolated app?.. (I understand when you run an app within chroot space, It's confined)


thanks.,
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1802
Joined: 2015-04-02 13:15

Re: Can we do chroot against a btrfs snapshot?

Postby p.H » 2020-10-26 15:33

Why not, if you can mount it or access it within a mounted parent subvolume ?
p.H
 
Posts: 1521
Joined: 2017-09-17 07:12

Re: Can we do chroot against a btrfs snapshot?

Postby bester69 » 2020-10-26 17:24

p.H wrote:Why not, if you can mount it or access it within a mounted parent subvolume ?

thanks for answering pH. :o

cool!!.. and do you know If we can get isolation like with firejail by running and app in chroot.. I would like to isolate an old brave browser version, that doesnt work with firejail.. dont know how to do it..and had thought abour running it in chroot space..

I dont know how to isolate the browser in an easy way without using firejial .. couldn't be just enought by running the browser with another specific user to isolate main home and mounted folders and remove access permisons to that user's browser.?. :idea:
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1802
Joined: 2015-04-02 13:15

Re: Can we do chroot against a btrfs snapshot?

Postby Head_on_a_Stick » 2020-10-26 17:40

A chroot is not a security feature: https://access.redhat.com/blogs/766093/posts/1975883
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12795
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Can we do chroot against a btrfs snapshot?

Postby bester69 » 2020-10-26 19:08

Head_on_a_Stick wrote:A chroot is not a security feature: https://access.redhat.com/blogs/766093/posts/1975883

Attacking the chroot
A daemon may be running in a chroot, but it may also have a flaw that allows an attacker to execute commands with the privileges of the user running the daemon (an arbitrary command execution attack).

So, If a process running in memory throught chroot escape a flaw and run malicious code it could execute commands with the privileges of root..but, what happend if you modify root password outside chroot, when chroot is running.. coult it be able to execute that malicious code any command as well??.. I mean chroot gets root privileges over the chrooted space, but then if it achieves to escape and run any command outside it would find root password has changed.. isnt it?

My idea is as following.:

sudo btrfs subvolume snapshot rootsys/ chrootsys/
mount -t btrfs -o subvol=chrootsys /dev/sda2 /mnt
mount --bind dev, proc, sys /mnt
chroot /mnt
>> Here change password of snapshot's root system
password
>> And then, you run application like in sandbox, cos malicous code can't run anything with a different root password
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1802
Joined: 2015-04-02 13:15

Re: Can we do chroot against a btrfs snapshot?

Postby p.H » 2020-10-26 20:09

bester69 wrote:but, what happend if you modify root password outside chroot, when chroot is running

Nothing. Processes do not care about passwords.
bester69 wrote:coult it be able to execute that malicious code any command as well?

Yes.
p.H
 
Posts: 1521
Joined: 2017-09-17 07:12

Re: Can we do chroot against a btrfs snapshot?

Postby bester69 » 2020-10-26 22:55

p.H wrote:
bester69 wrote:but, what happend if you modify root password outside chroot, when chroot is running

Nothing. Processes do not care about passwords.
bester69 wrote:coult it be able to execute that malicious code any command as well?

Yes.

ok, thanks...Ive an old brave browser version but seems to be under attack, I purged folder settings but still CPU was to full throtle until i killed the browser.. so something was going on there... I wonder if brave's chromium sandbox protect us our system processes in any way...

this seems very risky to keep using an outaded browser.. i reallty dont get it if there's a person behind them or is most probably a worm attack.. anyway its scary
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1802
Joined: 2015-04-02 13:15

Re: Can we do chroot against a btrfs snapshot?

Postby bester69 » 2020-11-11 12:13

Dahlia wrote:I just realized that snapshots on my Downloads directory are taking up a lot of space. What's the best way to prevent TimeShift (or snapper) from snapshotting a directory?

We all gave into that problem...you need to take out that kind of data forlder from snapshots backups..

You just need to create a new subvolume for that data folder and take it our from TimeShift..

- You would do like this.:
0- Create Subvolume Downloads.
sudo mount -t btrfs /dev/sda1 /mnt
sudo btrfs subvolume create Downloads
1- Mount Downloads throught fstab
UUID=c649c9a7-YOUR_PARTITIONID-026837988bb7 /home/user/Downloads btrfs subvol=Downloads,defaults,noatime,space_cache,autodefrag 0 2

or if you dont want to mount any folder point above home.:
UUID=c649c9a7-YOUR_PARTITIONID-026837988bb7 /media/Downloads btrfs subvol=Downloads,defaults,noatime,space_cache,autodefrag 0 2

AND:
sudo chown Your_user: /media/Downloads && ln -s /media/Downloads /home/user/Downloads

---------------------------
In mY case , I also took out /home/user/<<.CACHE>> folder ,; ou might need to take out more other things, so the best thing to do is to create a main subvolume DATAFOLDER in home, where you put all folders you need to be taken out of Timeshift.. and recreate those folders with synlinks to DATAFOLDER path root.. this way you dont need to be creating everytime subvolumes for any folder..
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1802
Joined: 2015-04-02 13:15

Re: Can we do chroot against a btrfs snapshot?

Postby Head_on_a_Stick » 2020-11-12 18:41

@bester69: you are replying to a spambot, I have removed their post.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12795
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Can we do chroot against a btrfs snapshot?

Postby bester69 » 2020-11-12 19:15

Head_on_a_Stick wrote:@bester69: you are replying to a spambot, I have removed their post.

roger :roll:

thanks
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1802
Joined: 2015-04-02 13:15


Return to General Questions

Who is online

Users browsing this forum: MagicPoulp and 15 guests

fashionable