Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
A chroot operation changes the apparent root directory for a running
process and its children. It allows you to run a program with a root directory other than
/. The program cannot see or access files outside the designated
directory tree. Such an artificial root directory is called a chroot
jail, and its purpose is to limit the directory access of a potential attacker. The
chroot jail locks down a given process and any user ID that it is using so that all they see
is the directory in which the process is running. To the process, it appears that the
directory in which it is running is the root directory.
The chroot mechanism cannot defend against intentional tampering or
low-level access to system devices by privileged users. For example, a
chroot
root user could create device nodes and mount file systems on them. A
program can also break out of a chroot jail if it can gain root privilege
and use chroot() to change its current working directory to the real
root directory. For this reason, you should ensure that a chroot jail
does not contain any setuid or setgid executables that
are owned by root.
For a chroot process to be able to start successfully, you must populate the chroot directory with all required program files, configuration files, device nodes, and shared libraries at their expected locations relative to the level of the chroot directory.
If the DNS name service daemon (named) runs in a chroot jail, any
hacker that enters your system via a BIND exploit is isolated to the files under the chroot
jail directory. Installing the bind-chroot package creates the
/var/named/chroot directory, which becomes the chroot jail for all BIND
files.
You can configure the vsftpd FTP server to automatically start chroot
jails for clients. By default, anonymous users are placed in a chroot jail. However, local
users that access an vsftpd FTP server are placed in their home
directory. Specify the chroot_local_user=YES option in the
/etc/vsftpd/vsftpd.conf file to place local users in a chroot jail
based on their home directory.
To create a chroot jail:
Create the directory that will become the root directory of the chroot jail, for example:
# mkdir /home/oracle/jailUse the ldd command to find out which libraries are required by the command that you intend to run in the chroot jail, for example /bin/bash:
# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff56fcc000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000)
/lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)Create subdirectories of the chroot jail's root directory that have the same relative paths as the command binary and its required libraries have to the real root directory, for example:
#mkdir /home/oracle/jail/bin#mkdir /home/oracle/jail/lib64
Copy the binary and the shared libraries to the directories under the chroot jail's root directory, for example:
#cp /bin/bash /home/oracle/jail/bin#cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2}\/home/oracle/jail/lib64
To run a command in a chroot jail in an existing directory
(chroot_jail), use the following command:
# chroot chroot_jail commandIf you do not specify a command argument, chroot runs the value of the
SHELL environment variable or /bin/sh if
SHELL is not set.
For example, to run /bin/bash in a chroot jail (having previously set it up as described in Section 3.13.2, “Creating a Chroot Jail”):
#chroot /home/oracle/jailbash-4.1#pwd/ bash-4.1#lsbash: ls: command not found bash-4.1#exitexit #
You can run built-in shell commands such as pwd in this shell, but not other commands unless you have copied their binaries and any required shared libraries to the chroot jail.
For more information, see the chroot(1) manual page.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices