As the name implies, a chroot operation changes the apparent root directory for a running process and its children. It allows you to run a program (process) with a root directory other than /. The program cannot see or access files outside the designated directory tree.
For example, you can run a program and specify its root directory as /home/user/jail. In this case, the program’s root directory is actually /home/user/jail. The program would not be aware of, or able to access, any files above this directory in the hierarchy.
This artificial root directory is called a chroot jail. Its purpose is to limit the directory access to a potential attacker. The chroot jail locks down a given process and any user ID it is using so that the user sees only the directory that the process is running in. To the process, it
appears that it is running in the root directory.
A chroot jail is not intended to:
– Defend against intentional tampering by privileged (root) users.
– Be used to block low-level access to system devices by privileged users. A chroot root user can still create device nodes and mount the file systems on them.
For a chroot process to successfully start, the chroot directory must be populated with all required program files, configuration files, device nodes, and shared libraries at their expected locations.
Using chroot utility
1. To use a chroot jail, use the following command (new_root must be an existing directory):
# chroot new_root [command]
2. The new_root directory becomes the artificial root directory. chroot changes to new_root and runs the optional command. Without specifying a command as an argument, chroot changes to new_root and runs the value of the SHELL environment variable or /bin/sh if SHELL is not set.
3. For example, assuming SHELL is set to /bin/bash, and the /home/user/jail directory exists, running the chroot command results in the following:
# chroot /home/user/jail chroot: failed to run command ‘/bin/bash’: No such file or directory
4. The /home/user/jail directory takes the name of /. chroot cannot find the /bin/bash within this chroot jail and returns the error message. To implement a chroot jail, create the new root directory structure and copy all the necessary files into this new root directory before running the chroot command.
Configuring chroot Jail
1. To implement a chroot jail and run /bin/bash, create the bin directory in the artificial root directory (/home/oracle/jail in this example), and copy /bin/bash into this directory:
$ mkdir /home/oracle/jail/bin $ cp /bin/bash /home/oracle/jail/bin
2. The /bin/bash command is dynamically linked to shared libraries. These libraries must also be copied into the chroot jail. Use the ldd command to determine which libraries are required by the /bin/bash command:
# ldd /bin/bash linux-vdso.so.1 => (0x00007fff11bff000) libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003728800000) libdl.so.2 => /lib64/libdl.so.2 (0x0000003d56400000) libc.so.6 => /lib64/libc.so.6 (0x0000003d56800000) /lib64/ld-linux-x86-64.so.2 (0x0000003d56000000)
3. Copy each of these files into a lib64 directory in the artificial root directory. Make the lib64 directory and copy the shared libraries into this directory:
$ mkdir /home/oracle/jail/lib64 $ cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/oracle/jail/lib64
4. Now that all the required files are in their expected locations, running the chroot command (as root) results in the following:
# chroot /home/oracle/jail
5. The command succeeded this time and the /bin/bash program executed. Entering pwd to print the current directory displays /, even though the actual directory is /home/oracle/jail:
# pwd /
The pwd command runs because it is a shell built-in command. Running any other command fails because bash cannot find the command. The process assumes it is in the root directory and has no visibility or knowledge of any files above this directory in the hierarchy. For example, running the ls command fails:
# ls bash: ls: command not found
6. Use the exit command to exit the chroot jail.
# exit exit #