Bug#685034: ischroot fails to detect if it is running in a chroot

Mon, 26 Aug 2013 11:51:43 -0700 

Emmanuel Kasper wrote:
> I think the root issue (if you allow me the pun) is that you didn't
> mount /proc in your chroot.

There is no requirement to mount /proc or /sys or /dev/pts anything
else in a chroot.  Having /proc mounted does not make it a chroot.  It
is a chroot without too.

Also when dealing with a large number of dynamically managed chroots
it is a burden to also need to mount an unspecified collection of
things like /proc too.  This has never been required previously.  I
think it is unreasonable for ischroot to create this requirement.

>  * /sbin/init's. This may fail if not running as root or if
>  * /proc is not mounted, in which case 2 is returned.
> ...

I applaud ischroot for returning an error exit code in the case that
it cannot make a determination.  That was the right thing to do.

The real problem is that since this utility appeared other packages
have started to use it.  Unfortunately some have used it incorrectly.
The sysvinit package started the problem but has since been fixed.
This caused me problems during Squeeze->Wheezy upgrades in chroots.  I
see that at this moment libc6 is still buggy.

    if ischroot 2>/dev/null; then

That does not take into consideration exit code 2.

> The man page should mention this requirement though.

Additionally I will facetiously joke that the program should be
renamed to ischroot_and_proc too.

But if ischroot can actually make the correct determination then I
think that is better.  The program is heuristic based.  (Meaning that
it just makes some guesses based upon programed rules.)  I think that
if /proc is not mounted such that its primary criteria is unavailable
that it should fall back to checking if "/" is inode 2.  If so then I
think it can safely guess that it is in a chroot.  This is still not
100% for all cases.  Someone might make an lvm volume for each chroot
in which case "/" would still be inode 2.  But it would be one large
step closer than it is now.

If I can squeeze some time I will try to prepare a patch.  Thank you
for generating activity in this bug and bringing it back to my
attention.

Bob

Attachment: signature.asc
Description: Digital signature

Reply via email to