1Main functions
In earlier UNIX systems, the root directory was a fixed point in the file system. In the current UNIX variants, including Linux, you can define the root directory based on each process. The chroot utility allows you to run a process in the root directory rather.
The root directory is located at the top of the directory hierarchy and has no parent directory. Therefore, a process cannot access the files above the root directory because they do not exist. For example, if you run a program (process) and specify its root directory as/home/sam/jail, the program does not have any file concept in/home/sam: jail is the root directory of the program and marked as/(not jail ).
By creating a manual root directory, usually called (chroot) jail, you can prevent a program from accessing, executing, or modifying (possibly malicious) files outside its root directory hierarchy. You must set a chroot jail correctly to improve security: if you do not set chroot jail correctly, malicious users are more likely to gain system access permissions than chroot jail.
2Use chroot
1) Create chrot jail
It is easy to create a chroot jail: run the/usr/sbin/chroot directory command with the root permission. Directory becomes the root directory, and the process tries to run the default shell. Use the root permission. The following command sets a chroot jail in the (existing)/home/sam/jail directory:
#/Usr/sbin/chroot/home/sam/jail
/Usr/sbin/chroot: failed to run command '/bin/bash': No such file or directory
In this example, a chroot jail is set, but the operation fails when the system tries to run bash shell. Once jail is set, the directory named jail will replace the name/of the root directory /. Therefore, files identified by the/bin/bash path name cannot be found in the chroot environment. In this case, chroot jail works normally, but it is useless.
It is complicated to make chroot jail work as you want. To run bash in chroot jail in the previous example, create a bin directory in jail (/home/sam/jail/bin) and copy/bin/bash to the directory. Since the bash binary file is a dynamic link to the shared library, you also need to copy these library files (in lib) to jail.
2)A specific example
The following example creates necessary directories, copies bash, uses ldd to display the shared libraries that bash depends on, and copies necessary library files to lib. A linux-gate.so.1 file is a dynamic shared object (DSO) that is provided by the kernel to accelerate system calls without having to copy it.
$ pwd/home/sam/jail$ mkdir bin lib$ cp /bin/bash bin$ ldd bin/bashlinux-gate.so.1 => (0×00988000)libtinfo.so.5 => /lib/libtinfo.so.5 (0×0076b000)libdl.so.2 => /lib/libdl.so.2 (0×00afb000)libc.so.6 => /lib/libc.so.6 (0×00110000)/lib/ld-linux.so.2 (0×00923000)$ cp /lib/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux.so.2} lib
Start chroot jail again. Although a common user can complete all the settings, the root permission must be used to run chroot:
$ suPassword:#/usr/sbin/chroot .bash-4.1# pwd/bash-4.1# lsbash: ls: command not foundbash-4.1#
This time, chroot searches for and starts bash and displays its default prompt (bash-4.1 #). The pwd command works because it is a shell built-in command. However, bash cannot find the ls command because it is not in chroot jail. If you want to use ls in jail, you can copy/bin/ls and its library files to jail. The exit command allows you to exit from jail.
If the second parameter is provided for chroot, it uses this parameter as the name of the program running in jail. The following command is equivalent to the previous one:
#/Usr/sbin/chroot/home/sam/jail/bin/bash
To create a useful chroot jail, you must first determine the utilities required by the chroot jail user. Then copy the binary file and its library file to jail. Alternatively, you can create static copies of binary files and put them into jail without installing a separate library. (The static link binary file is much larger than the corresponding dynamic binary file. Bash basic systems and their core tools are larger than 50 MB .) You can find the source code of the most commonly used tool in bash and coreutils SRPMS (source RPM) packages.
The chroot utility will fail unless it runs with the root permission. The result of running chroot with root permission is a root shell (shell with root permission) Running in chroot jail. Because users with root permissions can break through chroot jail, it is imperative to run a program with lower privileges in chroot jail.
There are several ways to reduce user privileges. For example, you can put su or sudo in jail, then start the daemon in shell or jail, and use one of these programs to reduce the privileges of users working in jail. Run the following command to start a shell with the lower privileges in jail:
#/Usr/sbin/chroot jailpath/bin/su user-c/bin/bash
Among them, jailpath is the path name of the jail directory, and user is the user name for shell to run with privileges. In this case, sudo and su call PAM. To run one of these utilities, you need to put all PAM, including its library and configuration files, together with the sudo (or su) and/etc/passwd files in jail. Alternatively, you can re-compile su or sudo. However, its source code calls PAM, so you need to modify its source code so that it does not call PAM. These technologies are time-consuming and introduce complexity, resulting in insecure jail.
The following C program runs a program in chroot jail with reduced privileges. This program obtains the UID and GID of the user you specified on the command line before calling chroot (), and does not need to put/etc/passwd into jail. This program lowers the privileges of the specified program of the specified user. This program provides a simple solution for the previous problem, so you can test chroot jail and better understand how it works.
$ cat uchroot.c/* See svn.gna.org/viewcvs/etoile/trunk/Etoile/LiveCD/uchroot.c for terms of use. */#include <stdio.h>#include <stdlib.h>#include <pwd.h>int main(int argc, char * argv[]){if(argc < 4){printf("Usage: %s {username} {directory} {program} [arguments]\n",argv[0]);return 1;}/* Parse arguments */struct passwd * pass = getpwnam(argv[1]);if(pass == NULL){printf("Unknown user %s\n", argv[1]);return 2;}/* Set the required UID */chdir(argv[2]);if(chroot(argv[2])||setgid(pass->pw_gid)||setuid(pass->pw_uid)){printf("%s must be run as root. Current uid=%d, euid=%d\n",argv[0],(int)getuid(),(int)geteuid());return 3;}return execv(argv[3], argv + 3);}
The first line of the following command uses the cc (gcc package) to compile uchroot. c and create a uchroot executable file. Subsequent commands will move uchroot into the/usr/local/bin directory and give corresponding ownership.
$ cc -o uchroot uchroot.c$ supassword:# mv uchroot /usr/local/bin# chown root:root /usr/local/bin/uchroot# exit$ ls -l /usr/local/bin/uchroot-rwxrwxr-x. 1 root root 5704 12-31 15:00 /usr/local/bin/uchroot
Run the following command to run a shell with the privileges of user sam in chroot jail using the preceding settings:
#/Usr/local/bin/uchroot sam/home/sam/jail/bin/bash
If you plan to deploy multiple chroot jail, it is best to save a clean copy of the bin and lib directories.
3
Run a service in chroot Jail
Running the shell in jail is of little use. In reality, you are more likely to run a specific service in jail. To run a service in jail, make sure that all files required by the service are in jail. The command format for enabling a service in chroot jail using uchroot is:
#/Usr/local/bin/uchroot user jailpath daemonname
Among them, jailpath is the path name of the jail directory, user is the user name for running the daemonname is the path name of the daemonname that provides the service (inside jail ).
Some servers have been configured to use chroot jail. For example, you can set DNS so that named runs in jail, and the vsftpd FTP server can automatically start chroot jail for the client.
4
Security considerations
Some services need to be run by users or processes with root permissions, but once started, their root permissions (such as Apache, Procmail, and vsftpd) are released ). If you run such a service, you do not need to use uchroot or put su or sudo into jail.
A process running with root permission may exit from chroot jail. For this reason, you should reduce the privileges before starting a program running in jail. In addition, the security vulnerabilities in the setuid binary files allowed in jail may compromise the security of jail. In addition, make sure that the user cannot access the executable files uploaded to jail.