Adventures in chroot!

20180930

So, it is likely an obvious thing for some of you, but you can setup a chroot so you can ssh into it. Since I made the gosher chroot live, I have been kludging scripts together and copying Phlog updates to the chroot directory from outside. Now there is one script that git pushes and then ssh's into the chroot, git pulls and builds the atom feed. I am very happy with this! I also resumed scp'ing to sdf, but now all links point to 1436.ninja...

To pull this off I made a user on RPoD with the same name as my chroot user: gopher. User gopher on "real" RPoD is UID 1002 so I chrooted and

sudo usermod -u 1002 gopher

followed by

cd /var/gopher; sudo chown -R gopher:gopher *

So now the gopher root is owned by gopher who is now UID 1002. I squared away the ~/.ssh key for user gopher on "real" RPoD, because this is the user we are going to ssh into.

The magic is in /etc/ssh/sshd_config on RPoD (not in the chroot):

Match User gopher ChrootDirectory /gopher AllowTCPForwarding no X11Forwarding no

/gopher is the chroot root. So now ssh gopher@rpod takes me into the chroot from in my network (no port forwarding to RPoD for ssh). The chroot on RPoD is a full Debian debootstrap, with its own software installations and full directory structure (some bind'ed).

This all seems very clean to me, at least very much cleaner than before. Everything is isolated and only 80/443/70/7070 make it to the outside net. I plan on removing the httpd from "real" RPoD next and moving it into the chroot as well. Maybe I'll use a bash based httpd as well. Just to host something simple and static... my current www site just says "use gopher" so it doesn't get much simpler than that.