chroot tips

2 02 2011

What is chroot?

chroot is a standard Unix command that changes the apparent root directory for the current running process and its children. chroot can be used to create a “jailed” user who is locked into a chosen directory, unable to access anything outside. The thing about chroot is within the “jailed” directory you must copy over all the files, commands and libraries for basic operation of a shell. If you want to use it in a production environment I suggest you check out jailkit for a more secure and featured solution.  I setup a chroot to run Cognos 10.

Here are some tips:

-To force a user to always operates in a chroot set their shell (the 7th field in /etc/passwd) to be a file that executes something like below[1]. You can also set the user’s shell when creating it with the -s option [2]

[1] sudo /usr/bin/chroot /home/$USER /bin/bash

[2] useradd -d /tmp -s /bin/chrootshell $user

-To copying the commands you want to the chroot consists of two commands: ‘which [COMMAND]‘ to find where the command binary is located and ‘ldd [PATH/OF/A/COMMAND]‘ to find the libraries required by that command. Copy the resulting files for each of these commands and they will work in the chroot.

-When in doubt copy all the libraries at /lib/ and /usr/lib/ if chroot programs arn’t working

-don’t put a C compiler into the chroot or they will be able to bust out (so I hear)

-I found that Cognos 10 requires a couple /etc/ files to be copied to the chroot to run in addition to passwd, profile and hostname. I just copied everything in /etc/ to the chroot (this is probably unsecure, can anyone confirm my suspicion?)

-If the program your running in chroot is complicated, you may need to give it proc access. Cognos needed it for java to be able to schedule itself on the CPU. You can mount it like this:
mount -t proc linprocfs /home/c10dp05c/proc

to make this persist after reboots copy the code below into the file /etc/init.d/boot.local

users=$(cat /etc/passwd | grep [something that identifies the user you want proc access for]  | cut -d: -f1)
for u in $users #if you have multiple users
do
 u=/home/$u/proc
 mount -t proc linprocfs $u
done

-Best tutorial http://www.antionline.com/showthread.php?t=248890 lots to learn here… some of what I learned is on this post.

-Again check out jailkit for a more secure and featured solution.

Good luck!

Advertisement

«


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s


Follow

Get every new post delivered to your Inbox.