26.5.2 Creating a Chroot Jail

To create a chroot jail:

  1. Create the directory that will become the root directory of the chroot jail, for example:

    # mkdir /home/oracle/jail

  2. Use the ldd command to find out which libraries are required by the command that you intend to run in the chroot jail, for example /usr/bin/bash:

    # ldd /usr/bin/bash
    	linux-vdso.so.1 =>  (0x00007fffdedfe000)
    	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003877000000)
    	libdl.so.2 => /lib64/libdl.so.2 (0x0000003861c00000)
    	libc.so.6 => /lib64/libc.so.6 (0x0000003861800000)
    	/lib64/ld-linux-x86-64.so.2 (0x0000003861000000)

    Note

    Although the path is displayed as /lib64, the actual path is /usr/lib64 because /lib64 is a symbolic link to /usr/lib64. Similarly, /bin is a symbolic link to /usr/bin. You need to recreate such symbolic links within the chroot jail.

  3. Create subdirectories of the chroot jail's root directory that have the same relative paths as the command binary and its required libraries have to the real root directory, for example:

    # mkdir -p /home/oracle/jail/usr/bin
    # mkdir -p /home/oracle/jail/usr/lib64

  4. Create the symbolic links that link to the binary and library directories in the same manner as the symbolic links that exists in the real root directory.

    # ln -s /home/oracle/jail/usr/bin /home/oracle/jail/bin
    # ln -s /home/oracle/jail/usr/lib64 /home/oracle/jail/lib64
  5. Copy the binary and the shared libraries to the directories under the chroot jail's root directory, for example:

    # cp /usr/bin/bash /home/oracle/jail/usr/bin
    # cp /usr/lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \
      /home/oracle/jail/usr/lib64