Chroot and jail

Source: Internet
Author: User
Tags function prototype mkdir


The so-called "prison" means to change the root folder that a process can see through the chroot mechanism, to restrict a process to a specified folder, to ensure that the process can only act on the files of that folder and its subfolders, thus ensuring the security of the entire server.

Create Chroot "prison"

Once, the daemon on the unix/linux was started with root privileges. At the time, this seemed to be a matter of course, since the server software such as Apache needed to be bound to the "known" Port (less than 1024) to listen for HTTP requests, and Root was the only user with that permission.

However, server security is more threatened as attackers move more frequently, especially as the number of buffer overflow vulnerabilities increases. Once a network service has a vulnerability, an attacker can access and control the entire system. Therefore, to mitigate the negative impact of such an attack, the server software is now often designed to start with root, and the server process abandons root and executes the process with a lower-privileged system account. The advantage of this approach is that once the service is exploited by an attacker, because process permissions are very low, the attacker's access permission is based on this lower privilege, and the damage to the system is much more damaging than ever.

Some attackers will attempt to find other vulnerabilities in the system to elevate permissions until they reach root. Because local security is much lower than remote security, it is very likely that attackers will find something in the system that can elevate permissions. Even if no local vulnerabilities are found, attackers can cause other damage, such as deleting files, altering the home page, and so on.

To further improve the security of the system, the Linux kernel introduces the chroot mechanism. Chroot is a system call in the kernel that allows the software to change the root folder that a process can see by calling the Library function chroot. For example, the Apache software is installed in the/usr/local/httpd/folder to start Apache with root (or another account with the same permissions), and the parent process of this root privilege derives several child processes that execute with nobody permissions, depending on the individual settings. The parent process listens for TCP data streams that are requested from 80port, and then assigns the request to a child process based on an internal algorithm. In this case, the folder where the Apache subprocess is inherited from the parent process, that is,/usr/local/httpd/.

However, once the folder permissions are set in error, the attacked Apache subprocess can access/usr/local,/usr,/tmp, or even the entire file system, because the root folder of the Apache process is still the root of the entire file system. Assuming that you can use chroot to limit Apache to/usr/local/httpd/, the files that Apache can access are files under/usr/local/httpd/or under their subfolders. The purpose of creating a chroot "prison" is to restrict process permissions to a subtree in the File system folder tree.

Why need jail

One problem with software chroot is that all of the programs, configuration files, and library files that are required for the software to execute must be installed in the Chroot folder, usually called the Chroot jail (chroot "Prison "). Suppose you want to execute/sbin/httpd in "prison", but you don't actually see the real/sbin folder in the file system. Therefore, you need to create the/sbin folder beforehand and copy the httpd into it. at the same time httpd requires several library files, such as the following command to see these library files (executed under the real file system).

#ldd/sbin/httpd =>/usr/local/httpd/lib/ (0x40017000) = >/usr/lib/ (0x4003c000) =>/lib/ (0x40043000) = >/lib/tls/ (0x400eb000) =>/usr/lib/ (0x400f8000) =>/usr/local/httpd/lib/ (0x40118000) =>-/lib/ (0x40139000 ) =>/lib/tls/ (0x4014b000) => (/lib/ =>/lib/ (0x4019a000) =>
(/lib/ 0x401af000
= >/lib/tls/ (0x42000000)
/lib/ =>/lib/ (0x40000000)

This means that you also need to create a Lib folder in "prison" and copy the library files to it. This work can be done by the computer, using jail and other software packages to help simplify the process of establishing the chroot "prison".

Briefly introduce the application of the Chroot command (share)

Chroot in the Linux system to play the root directory switching work,

At the same time brings the security of the system and other benefits. Chroot

is the change root directory (changing the root directory).

In a Linux system, the default directory structure of the system starts with the '/', that is, the root (root).

After using Chroot, the system's directory structure will be the '/' location at the specified location.

For example, you want your friends to log on to your machine,

But of course I don't want him to be able to run most of the commands in your machine,

Just let him run the order you feel no problem.

Specifically, he wants to confine his visit to the/usr/chroot.

Let him feel that/usr/chroot is the root directory (/), this time need to use the chroot command,

1. Build a folder,

# Mkdir/usr/chroot

When you want to use the # Chroot/usr/chroot command at this time, you will find that there are errors:

Chroot:cannot Run command '/bin/bash ': No such file or directory

So before you use the chroot command, you need to move bash into the/usr/chroot/bin.

2. Build bin etc lib Var home folder

# mkdir bin etc lib Var home

You can then replicate the bash, but before that, one more thing to do is to use LDD to investigate Bash's dependencies on various files.

3. # Ldd/bin/bash => (0x00110000) =>/lib/ (0x00b9f000) =>/lib/tls/i686/cmov/ (0x004fe000) =>/lib/tls/i686/cmov/ (0x00208000)

/lib/ (0x00491000)

And then will/lib/,/lib/tls/i686/cmov/,

/lib/tls/i686/cmov/ these files into the/usr/chroot/lib

4. Then copy Bash to/usr/chroot

# Cp/bin/bash/usr/chroot/bin

5. OK, this time you can use Chroot

# Chroot/usr/chroot

/usr/chroot became/, prompt changed, and mine became bash-4.1#.

But now the following command is not available, you can follow the steps above to add a variety of commands ls, pwd, CD, MV and so on

Well, that's all. Some concrete applications come back slowly later.

Chroot Introduction

Chroot is a command of Linux as well as a system call to it. Its role is to change the root directory of the current environment to a folder, this folder outside of things, for the current environment is not visible. So if you run untrusted code or programs, it's a good choice to use chroot as a security sandbox. Here we briefly introduce the method of using chroot and the problems needing attention, and provide some ways to jump out of the chroot environment. chroot Command

Chroot (1) This command can be found in most unix/linux systems. Its role is to change the root directory to a new folder and run a shell. So it requires that there be at least one running shell under the new folder. In fact, most of the Chroot folder structure is similar to a small Linux system, such as the following Lib, usr, bin and other folders. Here we describe how to create a minimal environment to use the chroot command.

First, we want the structure of this folder to be similar to the Linux Basic system architecture, so that the chroot environment can be used as a basic Linux environment. So use the following command to create some new folders first:

mkdir newroot
cd newroot
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin

This creates some of the necessary folders. Where bin and usr/bin are placed in binary files, and Lib and usr/lib are stored as link library files.

As I said before, the chroot environment requires at least one shell that can be run, and we can copy the bash in our system directly to the past. General Bash is under the/bin folder, and if you are unsure, you can use the following command to find:

Whereis Bash

then copy bash to the appropriate location in the new directory:

Cp/bin/bash bin

Copying only this one file is not enough because, in general, the program for Bash is compiled from dynamic links, so we'll copy the included library files. Use the LDD (1) command to view the library files that bash requires:


The output of this command in my system is: =>  (0x00007fff46bff000) =>/lib/ ( 0x00007fca39fa9000) =>/usr/lib/ (0x00007fca39d4c000) = >/lib/ (0x00007fca39b48000) =>/lib/ (0x00007fca397a7000)
    /lib/ (0x00007fca3a1ef000)

Then copy the library file to the appropriate folder based on the output:

Cp/lib/ Lib
cp/usr/lib/ usr/lib
cp/lib/ Lib
cp/lib/ Lib
cp/lib/ Lib

This allows you to use the chroot command to Chroot to the new directory (requires root permissions):

Chroot. /bin/bash

The detailed action of the chroot parameter can be viewed using the man chroot command. After chroot, we can simply type in some commands and find that many are not in the new environment. And always perform the CD. The command, also only in Newroot this folder. In a new environment, however, Newroot is the root directory.

Obviously such an environment is not much use. What software and tools are needed in a new environment and can be configured into a new environment in the same way that you ported bash above. If you need a more comprehensive shell environment, consider using BusyBox.

Use this method to chroot in addition to being able to run untrusted code, as a compilation environment to protect against external environments, such as LFS (Linux from Scrach) usage. chroot function

Many languages provide chroot this function to use the CHROOT environment in a program. We mainly introduce the C language. In fact chroot (1) This command, the use of chroot this function.

The use of chroot is simple, and the function prototype is an int chroot (const char *path). Requires root permission to use. Detailed information can be viewed using the Man 2 chroot command.

Here is a very simple example of a chroot program:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main (int argc, char * Argv[])
    chroot (".");
    ChDir ("/");
    EXECVP ("/bin/bash", NULL);
    return 0;

The function of this code is to chroot to the current directory and open the shell of bash. It is important to note that the above code is dangerous in addition to the error-free hints. Because you must give the user root permission to run it, and after chroot with root, you open a shell for the user to operate without having to retract the permissions. We can see later, with a very simple code can easily jump out of this chroot environment. The correct approach is to use setuid after chroot to make the current user a less privileged user, such as adding the following code after Chroot:

setuid (1000);

The advantage of using chroot in a program is not necessarily that you have to open a shell, what programs you need to use in the chroot environment, and execute directly with the EXEC function clan. There are two benefits: (1) You only need to configure the programs that need to be run in the new environment. If the program you want to execute is statically compiled, you don't need to have a link library file. (2) as the program in the control of the running process, did not provide the shell to allow users to interoperate, so the security is relatively high. Jump out of chroot

If you have root permissions, you can jump out of the chroot environment in a number of ways. using chroot in a new environment

The simplest and most common approach is to use chroot in a new environment. Writing a program can easily jump out of the chroot environment. The method is as follows: Create a new folder in the current environment and chroot it. Always perform "CD ..." and it will go back to the real root directory of the system. Chroot to this real root directory.

Here's a simple code example for C, which we'll save as jumpout.c:


#include <stdio.h>  
#include <unistd.h>  
#define TEMP_DIR "TEMP"  
int main ()
    int x;
    Chroot (temp_dir);
    for (x=0;x<1024;x++)   
        chdir ("..");  
    Chroot (".");  
    Execl ("/bin/sh", "I", NULL);
    return 0; 

Now let's experience this code. First static compilation (so that the compiled executable does not require the support of the dynamic link library):

GCC--static jumpout.c-o jumpout

Then, under Newroot, create a new folder named Temp:

mkdir Temp

So the preparation work is done. Now chroot to Newroot, then execute jumpout:

Chroot. /bin/bash

We can see that we have now jumped out of chroot environment. Various commands are available, and folders are also the structure under the true root folder.

The same effect can be achieved with other languages such as Perl. Many servers support CGI scripts, and this attack is not impossible. Therefore, it is very important to deal with permissions after chroot. using Mknod (2)

Mknod (2) system calls can create new files according to their own requirements. So it is possible to create a new piece of code on the hard disk that has a specific purpose to destroy the chroot environment. Or create a new/dev/mem to overwrite the kernel's memory. find files outside of hard link to chroot environment using Ptrace (2)

Ptrace (2) is a function used to track and debug system calls, which can track and overwrite the signal and system calls of the program. If you have a program in chroot that uses resources other than chroot, you can use Ptrace to change the system for this program to do something. Security Principles

When you see so many ways to jump out of chroot, you will find that if the configuration is not appropriate, the chroot environment is not safe. So here are some security principles. Almost all methods that jump out of the chroot environment require root permissions. So after chroot, if there is no special needs, be sure to give up root permissions. If possible, the files and folders in the Chroot are best owned by Root and have a good command of read and write permissions. Chroot must be chdir to the new root directory. If it is not necessary, do not use/etc/passwd files in the chroot environment. It is best not to link to files outside the chroot environment. problems that may be encountered in use

The above has already mentioned the problem which is apt to appear. Although these questions are not big, and understand after also nothing, but is very easy to confuse some of the novice's place, so here highlighted: whether it is chroot command, or chroot this function, all need root permissions. Chroot This command requires at least one shell program in the new environment, including the library files it uses. Use LDD to see the appropriate library files. After chroot no matter what commands and software to run, you have to ensure that the corresponding library files. GCC is dynamically compiled by default, so if you want to execute a compiled binary without needing a library file in a chroot environment, you need to have static compilation, that is, add the "–static" option. reference materials

The system's own hand album is a good reference. See

Man 1 chroot
Mans 2 chroot

This article has jumped out of the chroot environment and detailed explanation and C language code:

Here is a very detailed explanation:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.