Chroot
From Free net encyclopedia
A chroot on Unix operating systems is an operation which changes the root directory. It affects only the current process and its children. "chroot" itself can refer to the chroot(2) system call or the chroot(8) wrapper program.
A program that is re-rooted to another directory cannot name files outside that directory. This provides a convenient way to sandbox an untrusted, test or otherwise dangerous program. It is also a simple kind of jail mechanism.
In practice, chrooting is complicated by programs expecting at startup to find scratch space, configuration files, device nodes and shared libraries at certain preset locations. To allow programs to spawn inside the chroot directory, it must be populated with a minimum set of these files, preferably carefully chosen so as not to allow unintended access to the outside system.
Programs are allowed to carry open file descriptors (for files, pipelines and network connections) into the chroot, which can simplify jail design by making it unnecessary to leave working files inside the chroot directory. This also works as a simple capability system, in which the program is explicitly granted access to resources outside the chroot based on the descriptors it can carry in.
Contents |
Uses
- Privilege separation
- A chroot can be used as a pre-emptive way of containing a security breach by preventing a would-be attacker from doing any damage or probing the host system with a compromised program. A network file server, for example, can chroot to the directory it is serving files from just after accepting a network connection from a client. A similar approach is used by the Postfix mail transfer agent, which divides its work up into a pipeline of smaller, individually chroot-jailed programs.
- Honeypotting
- A chroot directory can be populated so as to simulate a real system running network services. The chroot mechanism can then prevent attackers who do compromise the system from discovering that it is an artificial environment, or from breaking out into the real system.
- Testing
- The isolation provided by the chroot mechanism is also useful for testing purposes. A separate copy of the operating system can be installed into the chroot directory as a test environment for software that would otherwise be too risky to deploy on a production system.
Disadvantages
Only the root user can perform a chroot. This is intended to prevent users from putting a setuid program inside a specially-crafted chroot jail (for example, with a fake /etc/passwd file) that would fool it into giving out privileges. It also, however, prevents non-root users from using the chroot mechanism to create sandboxes of their own.
The chroot mechanism itself is not entirely secure. On some systems, chroot contexts do not stack properly; On such a system, if a chrooted program has root privileges, it can perform a second chroot to break out.
Most Unixes are not completely file system-oriented and leave potentially disruptive functionality like networking and process control available through the system call interface to a chrooted program.
The chroot mechanism in itself also does not impose any limits on resources like I/O bandwidth, disk space or CPU time.
References
See also
External links
- Jailkit: A set of utilities to build chroot environments.
- Jail: An other set of utilities to build chroot environments.
- Article "Setting up a Chroot Jail for CVS" by Frank Schoep
- Article "Bind-Chroot-Howto (Debian)" by Falko Timmede:Chroot