Chrooted Shells in Debian GNU/Linux

Jani Reinikainen,

Introduction

NOTE: This document is incomplete and nowadays outdated.

I didn't like the idea of statically compiling everything for my users (well, actually I didn't like the idea of comiling at all, since I was running Debian GNU/Linux, which is famous for it's package management system). That's why I wrote this mini-howto on how to provide your users with secure, chrooted, shell accounts, that can be updated with apt-get. Currently, there are two ways to create a new base system, because the Woody base system is no longer distributed as a single file, but as packages.

Old style: Potato and older

First, create a temporary chrooted directory.

New style: Woody and newer

If you are running Debian Woody, install the base system like this (here I'm installing a Woody base system, but you could as well install Sid):

Configuring the chroot

Now that we are in the chrooted environment, we need to get the newest file list for it.

Mount the proc filesystem, so that we avoid errors when installing/removing packages.

Install the programs you wish to provide to your users.

Let's get rid of everything unnecessary, first packages (you can get a list of installed packages with dpkg -l), then directories.

Okay, now we have our chrooted environment with the programs we want to provide installed. However, there are a lot of unnecessary stuff here, too. Generally users don't need manual or info pages in their chrooted shells. If you wish to provide them, place them, for example, on a website. This way you'll save lots of hd space. First, remove the manual pages and root executables generated by the above install. (It might be a good idea to make a copy of this environment to fall back to, before you start deleting stuff, since this effectively breaks apt and dpkg. This way you won't have to start from the beginning if you happen to delete something critical.)