Description on howto create an chrooted union mirror of yhe real system when logging in.
	Chapter Introduction and Contents

Download location (HTTP):       http://linux.bononline.nl/projects/chroot-union/src
                                

Entering a safe mirror when logging in with unionfs and chroot.

Introduction

When reading a 'hint' on the website of LinuxFromScratch I discovered the special capabilities of unionfs, specially in combination with chroot. Later I read a HowTo on a wikiwebsite of Gentoo, about entering a chrooted homedirectory when using a special script as shell. Combining these two brings me to using a chrooted environment, which you enter when logging in as a special user. This environment is a exact copy (mirror) of the system you're working on. Because you're in safe copy of the real system, you can do whatever you like, it will never change the system, everything stay's inside the cache (the readwrite branch).

Links:
TRIP, a TRIvial Packager for LFS (and other linux systems) - Original hint at the website of LinuxFromScratch:
Home_directory_jail - Guide to set up a chroot jail at Gentoo

Basic technique

Do whatever you like, install, change and remove files from the system, and no harm whatsoever. Your real system stays untouched. This may sound like magic, but is in reality just possible by combining some techniques from all those available for Linux.
By using the filesystem Unionfs, a chroot and some well chosen remounted directories, you can set up this virtual system.

Unionfs

The most important part is the use of unionfs. Unionfs gives you the possibility to create a filesystem, which is the union of at least two others. See www.unionfs.org for more info. Now by letting the new filesystem be the union of our original filesytem (the root) in only read mode, and of a temporary filesystem (the cache) in readwrite mode, you'll have a filesystem which looks exactly like your original filesystem, but in which you can modify, delete and/or add files without doing anything to your original system. This is not possible, because the root is mounted readonly. Every modification is by the unionfs stored in the cache.
The only difference between the original and the newly created system is the path: in the new system it always starts with the path of the mountpoint of the union. This is why the next step is necessary.
A special note: today [june 2007] it looks as if unionfs will be included in the kernel. Unionfs is undergoing heavy development at this moment. Look at the website for more info.

Chroot

By chrooting to this mountpoint, you enter an environment which is absolutely a copy of your system. You can do whatever you like, even remove crucial directories and files. Test it! Look how far you can go before your system gets stuck.

(Re)Mounting

One extra thing you'll have to do is (re)mounting several crucial directories like /dev, /proc and /sys. This is because the union filesystem does not preserve existing mount points.
It's also recommended to remount some special directories like /tmp and the directory you're building the software in.

Logging in to this environment

Like the concept explained in Home_directory_jail it is possible by creating a special loginshell to enter the environment created with unionfs and chroot.
The idea explained here is to create a special user, with a special shell. This shell will, before entering a interactive shell, first do the necessary steps like mounting the unionfilesystem, remounting some important directories and do the chroot.

Preparation

The cache partition

Futher a partition with sufficient space to mount the cache to. This does not have to be a physical partition, it may be a virtual drive.

Create this drive with:

 
dd if=/dev/zero of=/mnt/cache.img bs=1M count=500

mkfs.ext2 /mnt/cache.img

mkdir /mnt/cache
mount /mnt/cache.img /mnt/cache -o loop

mkdir /mnt/union

(note: the loopback device has to be supported in your kernel. Kernels of most distributions do.)


Special loginshell

Create a shellscript chroot-union which will do all the necessary steps:

• The chroot-union script

  
  

  cat >> /bin/chroot-union << "EOF" #!/bin/bash function mount_unionfs { # mount temporary filesystems if [ -z "$(mount -t unionfs | grep -w /mnt/union )" ]; then sudo /bin/mount -t unionfs -o dirs=/mnt/cache:/=ro unionfs /mnt/union fi if [ -n "$(mount -t unionfs | grep -w /mnt/union )" ]; then # basic system mounts if [ -z "$(mount | grep -w /mnt/union/dev)" ]; then sudo /bin/mount --bind /dev /mnt/union/dev 2> /dev/null fi if [ -z "$(mount -t devpts | grep -w /mnt/union/dev/pts)" ]; then sudo /bin/mount -t devpts devpts /mnt/union/dev/pts 2> /dev/null fi if [ -z "$(mount -t tmpfs | grep -w /mnt/union/dev/shm)" ]; then sudo /bin/mount -t tmpfs shm /mnt/union/dev/shm 2> /dev/null fi if [ -z "$(mount -t sysfs | grep -w /mnt/union/sys)" ]; then sudo /bin/mount -t sysfs sysfs /mnt/union/sys 2> /dev/null fi if [ -z "$(mount -t proc | grep -w /mnt/union/proc)" ]; then sudo /bin/mount -t proc proc /mnt/union/proc 2> /dev/null fi if [ -z "$(mount | grep -w /mnt/union/tmp)" ]; then sudo /bin/mount --bind /tmp /mnt/union/tmp 2> /dev/null fi else echo "Mount of /mnt/union failed." exit 2 fi } function umount_unionfs { # # unmount /tmp # if [ -n "$(mount | grep -w /mnt/union/tmp)" ]; then sudo /bin/umount /mnt/union/tmp 2> /dev/null fi # # unmount /proc # if [ -n "$(mount -t proc | grep -w /mnt/union/proc)" ]; then sudo /bin/umount /mnt/union/proc 2> /dev/null fi # # unmount /sys # if [ -n "$(mount -t sysfs | grep -w /mnt/union/sys)" ]; then sudo /bin/umount /mnt/union/sys 2> /dev/null fi # # unmount /dev/shm # if [ -n "$(mount -t tmpfs | grep -w /mnt/union/dev/shm)" ]; then sudo /bin/umount /mnt/union/dev/shm 2> /dev/null fi # # unmount /dev/pts # if [ -n "$(mount -t devpts | grep -w /mnt/union/dev/pts)" ]; then sudo /bin/umount /mnt/union/dev/pts 2> /dev/null fi # # unmount /dev # if [ -n "$(mount | grep -w /mnt/union/dev)" ]; then sudo /bin/umount /mnt/union/dev 2> /dev/null fi if [ -n "$(mount | grep -w /mnt/union )" ]; then sudo /bin/umount /mnt/union 2> /dev/null fi } mount_unionfs # enter the chroot sudo /usr/sbin/chroot /mnt/union /bin/su --shell /bin/bash --login $USER # umount temporary filesystems umount_unionfs EOF

Add the new loginshell to the /etc/shells file. You'll have to do this when PAM will check the shell.

Create user and group.

Create a new group and user with this script as shell:

 
groupadd -g 27 uniongroup

useradd -c "Test user for chrooted union." -d /home/unionuser -m -s /bin/chroot-union -g uniongroup -u 27 unionuser
passwd unionuser

Give the user enough rights

Give the new user more rights with sudo. Add the following line to the configurationfile of sudo, /etc/sudoers:

 
unionuser ALL=(ALL) ALL

note: there are other ways to give this user the permissions. I'm looking at them at this moment.
note: giving these full permissions is too much for a normal user. But for a user which will install software and modify your system it's necessary.

What is possible

Safe and secure environment for normal users
This construction is very suitable for guest users, which you cannot trust. The first thing I'v tried is starting a graphical session. I did not have any problem.

Install sotware as this user
Another possible use is the installation of software as this user. This can be done as follows:
- as this user install your software. Because of the special construction, all the changes go to the cache.
- after logging out, compare the contents of the cache with the real system.
- the controlling user (root) has the choice to do the real install by simply moving the contents from the cache to the root

TODO

This website is not complete yet. The things that belong here are:
- give some examples