The chroot Linux tool can modify the working root directory of a process, restricting access to the rest of the file system. This is usually done for security, containerization or testing and is often called a “chroot prison”.
What does chroot do?
Chroot does one thing – executes a command with a different root directory. The command that is run has no idea that something outside the prison exists, because it has no links to it, and as far as it is aware, it is run on the root file system anyway. There̵7;s nothing above root, so the command cannot access anything else.
Chroot does not make any changes to your disk, but it can make it look that way from the processes running under it. Chrooting a process accomplishes the same thing as changing the assembly namespace of a process, but does so at a higher level than modifying the namespace.
What is chroot used for?
The main point
chroot used for is to unlock system daemons so that any security issues in the daemons do not affect the rest of the system. For example, Postfix, an e-mail agent, can be configured to run in a rooted environment with limited access to the directories it uses to communicate with the system. In this way, if there is a bug in Postfix, it affects Postfix and nothing else.
This is quite useful for a service like FTP. If you want to offer remote users access to parts of your system, rooting the process is an easy way to lock access.
It is also useful as a “budget container” for creating a subset of your operating system and running apps in an isolated environment, whether for testing, security or simple development. But because
chroot requires you to manually copy over program dependencies to jail, it is not suitable for everything. A process that needs to access and interact with user-level resources does not work well in a chroot jail or requires additional configuration that can make the entire installation more insecure. But even complicated apps like Apache and MySQL can be run in a rooted environment with all dependencies reported.
chroot prison is an extra layer of security,
chroot should not be your only security tool. Breaking out of a jail can be relatively trivial if it is not configured correctly, and a chroot jail only changes the mounting location and does not affect the other namespaces. For better security, use namespaces or a container engine like Docker.
Sends processes to jail
To open a shell in a jailed directory, you can run:
sudo chroot /jail
However, the command fails with a newly created one
/jail catalog, then
chroot will try to load bash from
/jail/bin/bash. This file does not exist, which is the first problem with
chroot– you have to build the prison yourself.
For some things, copy them with
cp is enough:
cp -a /bin/bash /jail/bin/bash
But this is only copied over the bash-driveability, and not all its addictions, which are not in our prison yet. You can list dependencies for bash with
ldd $(which bash) linux-vdso.so.1 (0x00007ffd079a1000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f339096f000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f339076b000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f339037a000) /lib64/ld-linux-x86-64.so.2 (0x00007f3390eb3000)
You can copy them manually:
cp /lib/x86_64-linux-gnu/libtinfo.so.5 /jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libdl.so.2 /jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libc.so.6 /jail/lib/x86_64-linux-gnu/ cp /lib64/ld-linux-x86-64.so.2 /jail/lib64/
But this will be a big hassle to do for every command you might want to run under
chroot. If you do not care about your
chroot access to your actual
bin directories (without access to the rest of the system) you can use
mount --bind to provide a link in your prison:
mount --bind /bin /jail/bin mount --bind /lib /jail/lib mount --bind /lib64 /jail/lib64
You can also just copy all over
/lib directories, which use more space, but can be a little better for security, especially if you use
chroot to run insecure processes that you do not want to touch with system folders.
Now that everything is copied, you should be able to drive again
sudo chroot /jail to open bash. Alternatively, you can run another command by running:
sudo chroot /jail command
If you run processes through chroot bash, you can leave the shell with
exit or Control + D, which stops the ongoing process. Processes that are run in prison are run in their own environment and do not have access to other processes in the system.
Can the process escape from prison?
Not easy, unless they run as root. Chroot does not block access to low-level system resources (which require root to access), and as such, a privileged process can easily escape from a jail.
It is possible for non-privileged processes to break out completely with the method
chdir("..") and another call to
chroot. If you are really focused on security, you should let go of access
chroot(2) system call, or use the fork
jchroot, which automates this extra security feature.
chroot is not a bulletproof security tool, as it is not completely containerized and should not be seen as a firewall that saves your system from attackers. But unless a trial specifically tries to get out of a chroot jail,
chroot achieves its job of splitting your file system for most processes and can be configured with additional security measures to block the most important escape methods.