Can we do chroot against a btrfs snapshot?

[bester69]

Hi,

Can we do chroot against a btrfs system volume snapshot?... Can we do this in order to; for example, build an application (installing dev packages and build the deb)..
or run an isolated app?.. (I understand when you run an app within chroot space, It's confined)


thanks.,

[p.H]

Why not, if you can mount it or access it within a mounted parent subvolume ?

[bester69]

Why not, if you can mount it or access it within a mounted parent subvolume ?

thanks for answering pH.

cool!!.. and do you know If we can get isolation like with firejail by running and app in chroot.. I would like to isolate an old brave browser version, that doesnt work with firejail.. dont know how to do it..and had thought abour running it in chroot space..

I dont know how to isolate the browser in an easy way without using firejial .. couldn't be just enought by running the browser with another specific user to isolate main home and mounted folders and remove access permisons to that user's browser.?.

[Head_on_a_Stick]

A chroot is not a security feature: https://access.redhat.com/blogs/766093/posts/1975883

[bester69]

A chroot is not a security feature: https://access.redhat.com/blogs/766093/posts/1975883

Attacking the chroot

A daemon may be running in a chroot, but it may also have a flaw that allows an attacker to execute commands with the privileges of the user running the daemon (an arbitrary command execution attack).

So, If a process running in memory throught chroot escape a flaw and run malicious code it could execute commands with the privileges of root..but, what happend if you modify root password outside chroot, when chroot is running.. coult it be able to execute that malicious code any command as well??.. I mean chroot gets root privileges over the chrooted space, but then if it achieves to escape and run any command outside it would find root password has changed.. isnt it?

My idea is as following.:

sudo btrfs subvolume snapshot rootsys/ chrootsys/
mount -t btrfs -o subvol=chrootsys /dev/sda2 /mnt
mount --bind dev, proc, sys /mnt
chroot /mnt
>> Here change password of snapshot's root system
password
>> And then, you run application like in sandbox, cos malicous code can't run anything with a different root password

[p.H]

but, what happend if you modify root password outside chroot, when chroot is running

Nothing. Processes do not care about passwords.

coult it be able to execute that malicious code any command as well?

Yes.

[bester69]

but, what happend if you modify root password outside chroot, when chroot is running

Nothing. Processes do not care about passwords.

coult it be able to execute that malicious code any command as well?

Yes.

ok, thanks...Ive an old brave browser version but seems to be under attack, I purged folder settings but still CPU was to full throtle until i killed the browser.. so something was going on there... I wonder if brave's chromium sandbox protect us our system processes in any way...

this seems very risky to keep using an outaded browser.. i reallty dont get it if there's a person behind them or is most probably a worm attack.. anyway its scary

[bester69]

I just realized that snapshots on my Downloads directory are taking up a lot of space. What's the best way to prevent TimeShift (or snapper) from snapshotting a directory?

We all gave into that problem...you need to take out that kind of data forlder from snapshots backups..

You just need to create a new subvolume for that data folder and take it our from TimeShift..

- You would do like this.:
0- Create Subvolume Downloads.
sudo mount -t btrfs /dev/sda1 /mnt
sudo btrfs subvolume create Downloads
1- Mount Downloads throught fstab
UUID=c649c9a7-YOUR_PARTITIONID-026837988bb7 /home/user/Downloads btrfs subvol=Downloads,defaults,noatime,space_cache,autodefrag 0 2

or if you dont want to mount any folder point above home.:
UUID=c649c9a7-YOUR_PARTITIONID-026837988bb7 /media/Downloads btrfs subvol=Downloads,defaults,noatime,space_cache,autodefrag 0 2

AND:
sudo chown Your_user: /media/Downloads && ln -s /media/Downloads /home/user/Downloads

---------------------------
In mY case , I also took out /home/user/<<.CACHE>> folder ,; ou might need to take out more other things, so the best thing to do is to create a main subvolume DATAFOLDER in home, where you put all folders you need to be taken out of Timeshift.. and recreate those folders with synlinks to DATAFOLDER path root.. this way you dont need to be creating everytime subvolumes for any folder..

[Head_on_a_Stick]

@bester69: you are replying to a spambot, I have removed their post.

[bester69]

@bester69: you are replying to a spambot, I have removed their post.

roger

thanks