[sudo-users] sudo in chroot with chmod 750 /

Steve Brueckner steve at atc-nycorp.com
Tue Feb 22 13:41:11 EST 2005

I'm trying to use sudo in an unusual situation:
 - inside a chrooted directory
 - to decrease privilege from root to a regular user
 - with the chrooted directory at chmod 750 instead of 755

I can use sudo in such a way when the chrooted directory is chmod 755, but
when I chmod it to 750 I get the following error:

(This command is run inside chroot)
# sudo /home/steve/eclipse/eclipse
sudo: can't open /etc/sudoers: Permission denied
can not chdir (/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.

Same thing happens when I try this:
# sudo -u steve /home/steve/eclipse/eclipse
But I'm trying to tell root to run eclipse as steve in sudoers instead of on
the command line.

I need the chrooted directory at chmod 750, since I'm using it not so much
as a jail but as a separate protection domain.

I've Googled around, and all the problems people have with sudo and
/var/spool/clientmqueue are related to sendmail.  But I'm trying to run
Eclipse, not sendmail, so I've got to wonder why sudo even tries to go into
the clientmqueue directory.

I also don't understand why permission is denied to /etc/sudoers.  I assume
this is the sudoers file inside the chrooted directory.  I would think that
since I'm starting sudo as root, it would let me read the file.  Only after
I read the sudoers file would I expect to lose my root privilege.

I find that I can simply do this once inside chroot:
# su steve -c /home/steve/eclipse/eclipse
But I don't want su inside of my chrooted directory; that's why I'm trying
to get sudo to work in there.

I use sudo to get into the chroot jail in the first place.  
Here's my "real" sudoers (outside the jail):
root ALL=(ALL) ALL
steve ALL=(root) NOPASSWD: /usr/sbin/chroot

Here's my sudoers inside the jail:
Defaults: path_info, !authenticate
Defaults: root runas_default=steve
root ALL=(ALL) ALL
root ALL=(steve) NOPASSWD: /home/steve/eclipse/eclipse

I've got nearly my entire filesystem replicated in the chroot directory,
including passwd, shadow, and sudoers.  These three files also have the same
permissions as the "real" ones.

Any ideas on what is going on are appreciated!


Steve Brueckner, ATC-NY

More information about the sudo-users mailing list