All services in chroot Linux

Source: Internet
Author: User
Tags ftp file syslog perl script
Author: Mark Nielsen
Translator: lanfeng

Abstract: when some people intrude into your system, chroot will improve the system security by limiting the loss that intruders can cause.


What is chroot? It is actually a fundamental redefinition of a program. More accurately, it redefines the "root" directory or "/" or log for a program. When you use chroot, there are no more things in a program than in a directory.

Why is it useful? if some people intrude into your computer, they will not be able to see all the files in your system, and they can also be restricted from using commands to access files, files in insecure conditions cannot be used. The only drawback of chroot is that it cannot prevent intruders who peek at network connections and other components. In this way, you must do something that you cannot know more about from this article.

1. Protect your network port.

2. Run all your services without the root account. In addition, you can run all the services chrooted.

3. Copy the system log file to another machine.

4. Analyze the log file.

5. analyze how people try to detect any port on your computer.

6. Restrict the CPU and memory of each service.

7. Activate account allocation.

The reason why I think chroot (in the non-Root Service) can play a protective role in the program is that if some people intrude into your computer, in the case of a non-root account, there is no file for them to use to enter the root, so the damage they cause to the broken area will be limited. Similarly, if most of the fields they intrude are owned by the root account, the damage to choice will be reduced. Obviously, if someone invades your account, it can also minimize your damage.

Remember: My method is not 100% effective either. This is my first attempt to do this, and if it is partially effective, the rest will be very simple. The following is how to do it.

Are you ready?

Okay, first create a directory, "/chroot", and then place all our services under it. Next, make the following arrangements:

The system log file will be chroot with each service.

Apache is stored in/chroot/httpd.

Put SSH in/chroot/sshd.

PostgreSQL is stored in/chroot/postmaster.

Sendmail will also be chroot, but unfortunately it cannot run under a non-root permission.

Ntpd is chroot to/chroot/ntpd.

Named is chroot to/chroot/named.

Each service is completely isolated.

My Perl script will generate a chrooted environment. (see the reference in this article) is renamed as after being downloaded. The Perl script displays the list of installed services, browses the configuration file, and configures each service. In short, the following is what you need to do.

1. Generate the chroot directory. Mkdir-P/chroot/config/backup to/chroot/

3. Change the $ home variable in the Perl script. If your root directory is not/chroot

4. Download the configuration file I wrote.

Now, the most important thing is that I only tested RedHat 7.2 and RedHat 6.2. Therefore, modify the Perl script based on your version.

I don't want to place a large number of files in the chroot, and my Perl script keeps it small. Basically, I noticed that after many services of chroot, they actually repeat chroot with many similar files and structures. The simplest way to tell which files need to be copied to a special service is to read the manual page and enter the "LDD/usr/bin/file" command for the program that applies to the library files. Of course, you can also chroot the service you are installing, And you can perform manual operations to see your mistakes. The latter will look at its log files.

To install a service, follow these steps:

./ config Service
./ install Service
./ start service

Chroot ntpd

Ntpd is only a Time Service Project, which can make your machine and other machines consistent with the real time. Chroot is simple.

# If you do not want to use my configuration file, the following command lines are not common
#./ config ntpd
./ install ntpd
./ start ntpd

Chroot DNS or named

You can get it on the following URL:




Or, you can use my script,

# If you do not want to use my configuration file, the following command lines are not common
#./ config named
./ install named
./ start named

My complaints about chroot System Log Files

I want to use the chroot log file, but one problem is that the log file uses/dev/log by default, and it cannot be monitored by the chroot service. Therefore, chroot is not an easy task. The following several methods may be effective:

1. Run the chroot log file together with each service. I have tested the feasibility. But I don't like this because I have a continuous root service.

2. check whether we can connect to a disconnected log tool.

3. Record the file to a file instead of a system log file. This may be the most reliable solution, although, in case someone breaks into the system, they can do whatever they want to log files.

4. Configure the main system log files to see if all services can be obtained from individual locations. Use the-A option at the same time.

My only solution is to be sure that the system log file is chroot with each service. I want to have some methods to back up logs in their own chroot environment without root permissions, just like a network port. It is feasible, but I want to find a better solution.

If you do not want to separate the log files of each service, add the following command at the beginning of the system log when the main log file starts to run in the system:


If you run SSH and DNS, it can be written,


In the system log file, note that I want it to run under a non-root account. I tried a few simple operations, but none of them worked. I finally gave up. If the system log backup can be run under a non-root account, the security problem will be improved.

Chroot Apache

It is very easy. As soon as I set it, I can run my Perl script. Now my configuration file is quite large, because I put both the Perl script and the postgersql database into the chrooted area. One thing you should note: If you connect to a database, make sure that your database is running in the closed loop of, and make sure that your host must be for the DBI module in the Perl script. The following shows how to connect to a database using continuous connections in Apache:

$ DBH | = DBI-> connect ('dbi: PG: dbname = database', "", {printerror => 0 });
If ($ DBH) {$ DBH-> {printerror} = 1 ;}
{$ DBH | = DBI-> connect ('dbi: PG: dbname = database; host = ',"","",
{Printerror => 1 });}


Compile and install Apache to/usr/local/Apache in your main system. Then run the Perl script.

# If you do not want to use my configuration file, the following command lines are not common
#./ config httpd
./ install httpd
./ start httpd

I changed my httpd. conf file to get these materials:

Extendedstatus on
Sethandler server-status
Order deny, allow
Deny from all
Allow from

Sethandler server-Info
Order deny, allow
Deny from all
Allow from

Then, specify your browser to http: // or http: //

First, ideally, we connect SSH to port 22 to port 2222. Then, when you start SSH, connect it to port 2222 under a non-root account. In the initial SSH connection, we use a password to ensure that there is a secure account. This password can only be used to restrict people entering the system, but it cannot be used for other purposes. When they log on to the system, it is the second SSH program. The program runs from Port to, so that they can connect to the real system-the second SSH program only listens to the loop device. Now, you have to try it out. I will not do this anymore. All I need to do is chroot ssh. What you need to do manually includes placing SSH under a non-root account, installing the second SSH program, and the SSH program only listens to the loop device, in this way, people can enter the real system.

Then we plan to only use chroot SSH, and you can also consider the consequences (if you do so, you cannot see the entire system ). Similarly, I can use OpenSSH, but it is not a good excuse for me to simply use business ssh ).


Install SSH on/usr/local/ssh_chroot. Then use the Perl script.

# If you do not want to use my configuration file, the following command lines are not common
#./ config sshd
./ install sshd
./ start sshd

If you want to use it in a chroot environment instead of an FTP, it is undoubtedly a good thing, and it will restrict people from accessing your territory. Rsync and SCP work well together to let people upload files. I don't really like to put an FTP file for people to run. Many FTP services have been chroot, but they can still pass passwords transparently, which is not my favorite.

Chroot PostgreSQL

It is as simple as Perl, except that it requires more library files. In general, it is not difficult to do. What I have to do is to enable PostgreSQL on the network and only on the circulating device. Because it is chroot, other chrooted services cannot reach it, such as Apache Web Services. I compile Perl into PostgreSQL, so I need to add a lot of Perl materials to the configuration file.



Compile and install Apache in/usr/local/Postgres in your main system. Then run the Perl script.

# If you do not want to use my configuration file, the following command lines are not common
#./ config Postgres
./ install ipvs
./ start Postgres

Chroot sendmail

Continue and run the script.

# If you do not want to use my configuration file, the following command lines are not common
#./ config sendmail
./ install sendmail
./ start sendmail

Do you understand? Yes, it is always running as the root. Patch. Similarly, some files are reconstructed by the/etc/rc. d/init. d/sendmail File when it starts to run. My script does not handle this problem. Any changes you make to Sendmail under/etc/mail should be copied to/chroot/sendmail/etc. Similarly, you must specify/var/spool/mail to/chroot/sendmail/var/spool/mail so that the Sendmail program and users (when they enter) can see the same file.

The advantage is that you can send an email, but it is a problem to receive the email. I can install sendmail with Apache without any problems. I have sent some Perl scripts, so I need to copy the sendmail File to the chroot field of Apache.

Other chroot tasks

Below are my ideas.

1. Everything can be chrooted, including Sendmail, ssh, Apache, PostgreSQL, syslog, and all services running on the computer.

2. Everything can be stored in a non-Root Account (what you need to do is to connect the protected port to the unprotected port ). This includes Sendmail and syslog.

3. Log backup can be an offsite.

4. Each service can be configured with a range allocation. In this way, when hackers use up disk space to rewrite files, there will be a disk space limit.

5. root can have all files without modification.

Now, I still think that endmail and Syslog should be able to run under a non-root account. For Sendmail. This is completely possible, but it is still quite difficult to send it to me. I have not successfully run Sendmail under a non-root account. I think there must be a serious error. I still have problems in doing so, but I think they can all be solved. the file has been licensed. I don't understand why Sendmail must be run under root. maybe I have ignored some problems and I suspect there are insurmountable obstacles.

I have not tried syslog, but I believe that it can run without a root account. at least I can perform chrooted for syslogs of each service.

All services can be set under a non-root account. Even NFS, there are all services.


1. Register SSH twice and run two sshd.

2. Find out how to run Sendmail and other email programs in non-root mode.

3. Remove unnecessary library files in/lib. I copied everything in it to save effort. In fact, many of the content is not needed.

4. remotely log on to sysloge and check whether syslogd can be connected to a network port and whether all services can be connected to the network port on the circulating device. check whether syslogd can be run under a non-root account.


I think chroot is valid for all services. I believe that it would be a big mistake not to chroot all services to a non-root account. I hope that either a professional version or a smaller version: Any version. mandrake first obtains the source material from RedHat and then expands it, so it is entirely possible to use it and expand the chroot to disconnect them. there is nothing to prevent people from repeating others' work in GNU/Linux, so I think this is completely feasible. if a company is willing to perform chroot for everything and create a loose and systematic environment for people to manage their chrooted services, I believe they will definitely have unexpected sales results! Remember, even if Linux has become the mainstream, people still don't want to see the command line. So if everything can be done on the graphic interaction interface, they don't need to see everything, "guts", or know how things are done step by step-all they have to do is configure and know it is working!

I support one idea in 100%: all services can be chroot under non-root accounts, and no version can be provided to me in a real environment. I plan to chroot all the things-in fact, I did.

I plan to write an article about how to use chroot. Could you please help me convert this article to the lyx format so that it can be placed in Linux's howtos.


If this article has changed, you can find it here:


Related configuration files:


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.