قالب وردپرس درنا توس
Home / Tips and Tricks / What is chroot on Linux and how do you use it? – CloudSavvy IT

What is chroot on Linux and how do you use it? – CloudSavvy IT

The chroot Linux tool can modify the working root directory of a process, restricting access to the rest of the file system. This is usually done for security, containerization or testing and is often called a “chroot prison”.

What does chroot do?

Chroot does one thing – executes a command with a different root directory. The command that is run has no idea that something outside the prison exists, because it has no links to it, and as far as it is aware, it is run on the root file system anyway. There̵

7;s nothing above root, so the command cannot access anything else.

Chroot does not make any changes to your disk, but it can make it look that way from the processes running under it. Chrooting a process accomplishes the same thing as changing the assembly namespace of a process, but does so at a higher level than modifying the namespace.

What is chroot used for?

The main point chroot used for is to unlock system daemons so that any security issues in the daemons do not affect the rest of the system. For example, Postfix, an e-mail agent, can be configured to run in a rooted environment with limited access to the directories it uses to communicate with the system. In this way, if there is a bug in Postfix, it affects Postfix and nothing else.

This is quite useful for a service like FTP. If you want to offer remote users access to parts of your system, rooting the process is an easy way to lock access.

It is also useful as a “budget container” for creating a subset of your operating system and running apps in an isolated environment, whether for testing, security or simple development. But because chroot requires you to manually copy over program dependencies to jail, it is not suitable for everything. A process that needs to access and interact with user-level resources does not work well in a chroot jail or requires additional configuration that can make the entire installation more insecure. But even complicated apps like Apache and MySQL can be run in a rooted environment with all dependencies reported.

While a chroot prison is an extra layer of security, chroot should not be your only security tool. Breaking out of a jail can be relatively trivial if it is not configured correctly, and a chroot jail only changes the mounting location and does not affect the other namespaces. For better security, use namespaces or a container engine like Docker.

Sends processes to jail

To open a shell in a jailed directory, you can run:

sudo chroot /jail

However, the command fails with a newly created one /jail catalog, then chroot will try to load bash from /jail/bin/bash. This file does not exist, which is the first problem with chroot– you have to build the prison yourself.

For some things, copy them with cp is enough:

cp -a /bin/bash /jail/bin/bash

But this is only copied over the bash-driveability, and not all its addictions, which are not in our prison yet. You can list dependencies for bash with ldd command:

ldd $(which bash)
	linux-vdso.so.1 (0x00007ffd079a1000)
	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f339096f000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f339076b000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f339037a000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3390eb3000)

You can copy them manually:

cp /lib/x86_64-linux-gnu/libtinfo.so.5 /jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libdl.so.2 /jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 /jail/lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 /jail/lib64/

But this will be a big hassle to do for every command you might want to run under chroot. If you do not care about your chroot access to your actual lib and bin directories (without access to the rest of the system) you can use mount --bind to provide a link in your prison:

mount --bind /bin /jail/bin
mount --bind /lib /jail/lib
mount --bind /lib64 /jail/lib64

You can also just copy all over /bin and /lib directories, which use more space, but can be a little better for security, especially if you use chroot to run insecure processes that you do not want to touch with system folders.

Now that everything is copied, you should be able to drive again sudo chroot /jail to open bash. Alternatively, you can run another command by running:

sudo chroot /jail command

If you run processes through chroot bash, you can leave the shell with exit or Control + D, which stops the ongoing process. Processes that are run in prison are run in their own environment and do not have access to other processes in the system.

Can the process escape from prison?

Not easy, unless they run as root. Chroot does not block access to low-level system resources (which require root to access), and as such, a privileged process can easily escape from a jail.

It is possible for non-privileged processes to break out completely with the method chdir("..") and another call to chroot. If you are really focused on security, you should let go of access chroot(2) system call, or use the fork jchroot, which automates this extra security feature.

chroot is not a bulletproof security tool, as it is not completely containerized and should not be seen as a firewall that saves your system from attackers. But unless a trial specifically tries to get out of a chroot jail, chroot achieves its job of splitting your file system for most processes and can be configured with additional security measures to block the most important escape methods.

Source link