[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: init, pivot_root, chroot, etc ...

e-bone <ebone@DotsAndLoops.net> writes:

> Hi,
> this question does not pertain specifically to debian-boot,
> but it deals with things which i think the readers of this list have a
> particular knowledge of, so here goes:
> 
> My main root partition is /dev/hda2, and it is encrypted via ppdd.
> I have a "maintenance"/"fake" root partition at /dev/hda6.
> 
> Right now my system boots to an initrd, which runs a linuxrc written by
> the ppdd author which basically prompts you for a password, mounts the
> "real" root, and then for its finale does a pivot_root/chroot to the
> encrypted partition via a 'exec chroot . sh -c "exec init"'.
> 
> or something like that.
> 
> i've been banging my head against the wall trying to figure out a way to
> "inject" a sshd in there somewhere, so you can enter your passwords over
> the net. (i'm aware of the security implicatation, but it would be nice
> for emergency situations).

Write yourself a little init program (or script) that will setup
networking, fork a tty with passwd prompt and sshd and wait for
a signal to continue.

Either the tty password prompt or sshd follow up process (the users
shell is probably best there) mount the partition and signal your
init.

Your init then shuts everything down (kill the tty and sshd),
pivot_root, chroot exec init.

> I've tried:
> 1
> calling cryptcat in the linuxrc script. this works, but then i can't
> enter passwords at the tty ! apparently signals (ctrl-c) cannot be caught in
> the linuxrc script either ? i tried a script that catches this signal
> then asked for the passwords from the tty.

You have to enable the signals first. Check the shell docs.

> 2
> just booting into a stripped down (single user like) mode.
> then executing a script to mount the encrypted partition, and doing a
> "exec chroot . sh -c 'exec init 3'".
> init doesn't like this cause it is not PID 1.
> it can't talk to this pipe /dev/initctl in the chroot environment i
> guess. Could I make a symbolic link from the chroot'ed /dev/initctl
> file to the original /dev/initctl you think ?
> 
> I've also thought about just running minit in the chroot environment.
> I was thinking, since all programs are either started from a tty or from
> ssh, if i just ran minit and spawned some gettys and started up sshd,
> then all processes would inherit this new chroot environment.

The fake init program/script has to exec th real init. init realy
wants to be pid 1.

> 3
> Interestingly, if i boot into single user mode, and then execute the
> change_to_encrypted_root script, init is not bothered.
> this is no doubt because of the "wait" in the inittab (i think).
> ~~:S:wait:/sbin/sulogin
> 
> somehow i don't think ~~:S:wait:/usr/sbin/sshd would work ...
> %^)
> 
> Is there any reason not to use minit as a sort of "sub" process root ?
> I noticed a lsof shows init still "rooted" to the old root (now at
> /mnt/hda6/sbin/init). Is there anything amatter with this ?

The fake init will still run on the old root and block the device.

MfG
        Goswin
Reply to: