Home / ubuntu / Questions / 745811
Accepted
john smith
Asked: 2016-03-15 04:46:28 +0800 CST

Does Chroot'ing onto a Ubuntu Machine Give You Root?

  • 772

If you were to use a Ubuntu live USB, and do the commands below. Is this literally just giving you root access to the drive?

sudo mount /dev/sda1 /mnt
sudo chroot /mnt
chroot

4 Answers

  1. Best Answer

    Physical access is root access as Zacharee1 indicates. This is why people with sensitive data restrict physical access.

    To break you commands down a bit though, mounting the drive is what prepares the file system and gives you access.

    sudo mount /dev/sda1 /mnt

    After that mount command you can access all unencrypted data on /dev/sda1

    ls /mnt
cp /mnt/some_data /your_usb

    etc

    A work of caution, if someone had physical access encryption may not be sufficient to protect the data as people can leverage physical access to break the encryption, "Evil Maid" is but one example, see https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

    The chroot command switches so that now you are running commands as if /dev/sda1 is mounted at / or root, assuming /dev/sda1 is a valid root file system and not /home or a data partition.

    The chroot command has many uses above and beyond data access.

    So after the chroot command, the commands you run in the shell now affect /dev/sda1. So if you change the password or system configuration, it affects /dev/sda1 and not the usb.

    so, for example, if you run

    passwd

    the password you set affects the root user on /dev/sda1 and not root on the usb.

    Some virtualization, Openvz and LXC for example, are similar to a chroot but have additional features.

    For additional information on chroot see

    https://help.ubuntu.com/community/BasicChroot

    • 8

  2. Unless the filesystem is encrypted, you have full access to every file on an offline drive (i.e. from the LiveUSB). You can do whatever you want without having any user's password from that OS.

    The LiveUSB method is one of the most popular ways to bypass passwords on both Windows and Linux, as it allows a user to set a local administrator password in Windows and a root password in Linux by replacing files or running some commands.

    It's pretty great, as long as you're the one with hardware access and not someone you don't trust.

    EDIT:
    Thanks to bodhi.zazen I now know that, even with encryption, you can gain access to a filesystem. You do need the unwitting interaction of someone who knows the encryption key, but it's still a method for access.

    Read about it here: https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

    EDITEDIT:
    Apparently there are a lot of ways to access encrypted filesystems.
    https://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html

    I guess the lesson here is don't give people your hard drive.

    • 6

  3. Chroot is not what gives you root, sudo is. Most livecds have sudo configured such that the default user on the livecd has unrestricted no-password sudo access. Typing "sudo bash" instead would have given you just the same permissions but with a different view of the filesystem.

    So yes if you can boot a livecd and the hdd is not encrypted you can easilly buypass any file permissions and read/wite whatever you like but chroot is not what enables that, booting the livecd which contains a system on which you can trivially get root is.

    • 3

  4. Let us say you are asking the following question: "If I gave somebody permission to run sudo chroot /mnt" can they get root on the host?" The answer to that question is yes.

    Besides the obvious hard way involving mknod(), there's an easy way if they can get a compiler:

    #include <fcntl.h>
#include <unistd.h>
int main() {
    int n = open("/", 0);
    chroot("/bin");
    fchdir(n);
    chdir("..");
    chroot(".");
    execve("/bin/sh", "/bin/sh");
}

    Chroot jails do nothing if the attacker has root.

    • 1