Using chroot and cwd in sudo

Starting with sudo 1.9.3, you can change both the root and the working directories within sudo itself. Neither option is enabled by default–you need to explicitly enable them in the sudoers file. When enabled, you can fine-tune target directories or allow your users to specify the directory to use. The logs reflect when these settings have been used.

Before you begin

These new features were introduced in sudo version 1.9.3. There is a good chance that your operating system includes an older version of sudo. You can download ready-to-use binaries for many different operating systems directly from the sudo website or you can build sudo from source yourself.

Using chroot

On most systems, chroot is only available to root. If one of your users needs chroot, you need to give them root access, which gives them a lot more power than just chroot. Alternately, you can allow access to the chroot command through sudo, but it still allows loopholes to gain full access. When you use the built-in chroot support of sudo, you can easily restrict it to a single directory. You can also give users the flexibility to specify the root directory themselves. Of course this also might lead to disasters (sudo --chroot / -s), but at least the event is logged:

Sep 24 15:58:55 centos7sudo sudo[8149]:   czanik : TTY=pts/0 ; CHROOT=/ ; PWD=/home/czanik ; USER=root ; TSID=00001G ; COMMAND=/bin/bash

Chroot is not enabled by default by sudo. It needs to be explicitly enabled in the sudoers file. The following Defaults statement enables a specific chroot directory for users in the wheel group:

Defaults:%wheel runchroot=/var/lib/mock/epel7-x86_64/root

Note that if chroot is enabled with a directory parameter, any command the given user tries to run will be executed in that chroot. You can give your users more flexibility by using a * (star) instead of a directory name:

Defaults:%wheel runchroot=*

In this case the user can specify the directory to chroot to. The directory can be specified using sudo’s -R or --chroot option, which was introduced in version 1.9.3:

sudo --chroot /var/lib/mock/epel-7-x86_64/root -s

Changing the working directory

When you run a command through sudo, it sets the working directory to the current directory. This is the expected behavior, but there may be cases where the command needs to be run in a different directory. For example, I recall using an application which checked my privileges by checking if my working directory was /root. Regular users normally cannot enter this directory. Instead of starting a root shell through sudo, you can now work around this by setting the working directory of sudo using the -D or --chdir option:

[czanik@centos7sudo ~]$ sudo --chdir /root pwd
/root

Changing the working directory is not enabled by default by sudo. It needs to be explicitly enabled in the sudoers file. The following Defaults statement enables cwd for users in the wheel group:

Defaults:%wheel runcwd=/var/lib/mock/epel-7-x86_64/root

Note that if cwd is enabled with a directory parameter, any command the user tries to run is executed using this working directory. You can give your users more flexibility by using a * (star) instead of a directory name:

Defaults:%wheel runcwd=*

In this case the user can specify the working directory, just like in our first example, where it was set to /root.

Logging

As usual, sudo logs both successful runs and also when someone does not have the permissions to run a command. Here is a successful run of sudo using the –chroot option. It is a bit tricky, as it was set to /, so the user gained full access to the system:

Sep 24 15:58:55 centos7sudo sudo[8149]:   czanik : TTY=pts/0 ; CHROOT=/ ; PWD=/home/czanik ; USER=root ; TSID=00001G ; COMMAND=/bin/bash

And here is a failure, when the given user did not have a permission to use the --chroot option:

Sep 25 08:43:32 centos7sudo sudo[2640]:   czanik : user not allowed to change root directory to /an/interesting/directory ; TTY=pts/0 ; CHROOT=/an/interesting/directory ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/bash

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.