How to achieve the effect of chroot in userspace in Linux (without being root)?
The solution must probably be based either on ptrace or namespaces (unshare).
ptrace-based solutions are probably less efficient then namespaces/unshare-based (but the latter technology is cutting-edge and is not well explored path, probably).
ptrace-based
UMView
As for ptrced-based solutions, thanks to the comments at https://stackoverflow.com/a/1019720/94687, I've discovered UMView:
- http://wiki.virtualsquare.org/wiki/index.php/ViewFS
- http://wiki.virtualsquare.org/wiki/index.php/Virtual_installation_of_software
The linked docs describe how to have a "copy-on-write view" of the host fs -- that's not exactly like performing a chroot. Exact intructions on how to achieve /-substitution in umview would be nice to have in an answer to my question (please write one if you figure out how to do this!).
umview must be open-source, because it is included in Ubuntu and Debian -- http://packages.ubuntu.com/lucid/umview.
"Confining programs"
Another implementation is described in http://www.cs.vu.nl/~rutger/publications/jailer.pdf, http://www.cs.vu.nl/~guido/mansion/publications/ps/secrypt07.pdf.
They have a change-root-ing policy rule, CHRDIR, whose effect is similar to chroot. (Section "The jailing policy")
However, they might have not published their source code (partially based on a modified strace http://www.liacs.nl/~wichert/strace/ -- Section "Implementation")...
geordi
Geordi (http://www.eelis.net/geordi/, https://github.com/Eelis/geordi) could probably be modified to make the wanted rewriting of file arguments to system calls in the jailed programs.
proot
PRoot is a ready to use ptrace-based tool for this. http://proot.me/:
chroot equivalent
To execute a command inside a given Linux distribution, just give proot the path to the guest rootfs followed by the desired command. The example below executes the program cat to print the content of a file:
proot -r /mnt/slackware-8.0/ cat /etc/motd Welcome to Slackware Linux 8.0
The default command is /bin/sh when none is specified. Thus the shortest way to confine an interactive shell and all its sub-programs is:
proot -r /mnt/slackware-8.0/ $ cat /etc/motd Welcome to Slackware Linux 8.0
unshare-based
user_namespaces support in the Linux kernel has got more mature since when the question was asked. Now you can play with performing a chroot
as a normal with the help of unshare
like in Simulate chroot with unshare:
unshare --user --map-root-user --mount-proc --pid --fork
chroot ......
su - user1