Chroot
From DssWiki
{{DISPLAYTITLE:{{#if:|:|}}chroot}}
A chroot on Unix operating systems is an operation that changes the root directory. It affects only the current process and its children. "chroot" itself can refer to the chroot(2) system call or the chroot(8) wrapper program.
A program that is re-rooted to another directory cannot name files outside that directory. This provides a convenient way to sandbox an untrusted, untested or otherwise dangerous program. It is also a simple kind of jail mechanism.
In practice, chrooting is complicated by programs expecting at startup to find scratch space, configuration files, device nodes and shared libraries at certain preset locations. To allow programs to spawn inside the chroot directory, it must be populated with a minimum set of these files, preferably carefully chosen so as not to allow unintended access to the outside system.
Programs are allowed to carry open file descriptors (for files, pipelines and network connections) into the chroot, which can simplify jail design by making it unnecessary to leave working files inside the chroot directory. This also works as a simple capability system, in which the program is explicitly granted access to resources outside the chroot based on the descriptors it can carry in.
Contents |
[edit] Uses
- Privilege separation
- A chroot can be used as a pre-emptive way of containing a security breach by preventing a would-be attacker from doing any damage or probing the host system with a compromised program. A network file server, for example, can chroot to the directory it is serving files from just after accepting a network connection from a client. A similar approach is used by the Postfix mail transfer agent, which divides its work up into a pipeline of smaller, individually chroot-jailed programs.
- Honeypotting
- A chroot directory can be populated so as to simulate a real system running network services. In this case, the chroot mechanism may prevent attackers who do compromise the system from discovering that it is an artificial environment.
- Isolation
- A chroot environment can be used to create and host a separate copy of the operating system.
- Testing and development
- A test environment can be set up in the chroot for software that would otherwise be too risky to deploy on a production system.
- Dependency control
- Software can be developed, built and tested in a chroot populated only with its expected dependencies. This can prevent some kinds of linkage skew that can result from developers building projects with different sets of program libraries installed.
- Compatibility
- Legacy software or software using a different ABI must sometimes be run in a chroot because their supporting libraries or data files may otherwise clash in name or linkage with those of the host system.
[edit] Limitations
Only the root user can perform a chroot. This is intended to prevent users from putting a setuid program inside a specially-crafted chroot jail (for example, with a fake /etc/passwd file) that would fool it into giving out privileges.
The chroot mechanism itself is not entirely secure on all systems. On some systems, for example, chroot contexts do not stack properly and chrooted programs may perform a second chroot to break out.
Most Unixes are not completely file system-oriented and leave potentially disruptive functionality like networking and process control available through the system call interface to a chrooted program.
The chroot mechanism in itself also does not restrict the use of resources like I/O, bandwidth, disk space or CPU time.
A chrooted root user user can still create device nodes and mount the file systems on them; thus, the chroot mechanism cannot by itself be used to block low-level access to system devices.
[edit] References
[edit] See also
[edit] External links
- Article "Multi Architecture Debian GNU/Linux Installation" teaching how to set up a full IA-32 environment inside a AMD64 installation using chroot.
- Jailkit: A set of utilities to build chroot environments.
- Jail: Another set of utilities to build chroot environments.
- Virtfs: chrooted virtual server administration tool(s)
- Article "Setting up a Chroot Jail for CVS" by Frank Schoep
- Article "Bind-Chroot-Howto (Debian)" by Falko Timme
- Best Practices for UNIX chroot() Operations @ Steve Friedl's Unixwiz.net Tech Tips
{{#if: |
Unix command line programs and builtins (more) | |||
| File and file system management: | cat | chattr | cd | chmod | chown | chgrp | cksum | cmp | cp | du | df | file | fsck | fuser | ln | ls | lsof | mkdir | mount | mv | pwd | rm | rmdir | split | touch | ||
| Process management: | at | chroot | crontab | exit | kill | killall | nice | pgrep | pidof | pkill | ps | sleep | time | top | wait | watch | ||
| User Management/Environment: | env | finger | id | mesg | passwd | su | sudo | uname | uptime | w | wall | who | whoami | write | ||
| Text processing: | awk | comm | cut | ed | ex | fmt | head | iconv | join | less | more | paste | pg | sed | sort | tac | tail | tr | uniq | wc | xargs | ||
| Shell programming: | basename | echo | expr | false | printf | test | true | unset | Printing: | lp |
| Communications: inetd | netstat | ping | rlogin | traceroute | Searching: find | grep | strings | Miscellaneous: banner | bc | cal | dd | man | size | yes | |
