Protecting the Root Directory by Using chroot Jails

A chroot command changes the visible root directory for running processes and their children, so it can be used to run a program with a root directory other than /. The program can't see or access files outside of the configured directory tree. Such an artificial root directory is called a "chroot jail", and its purpose is to limit the directory access of malicious processes and hackers. The chroot jail locks down each process and any user ID that's using it so that all they can access is the directory in which the process is running. The process is also tricked into thinking that the directory in which it's running is the root directory.

Note:

The chroot mechanism can't defend against intentional tampering or low-level access to system devices by privileged users. For example, a chroot root user could create device nodes and mount file systems on them. A program can also gain access to resources outside of a chroot jail if it can gain root privilege and use chroot() to change its current working directory to the real root directory. For this reason, it's considered good security practice to ensure that a chroot jail doesn't contain any setuid or setgid executables inside it that are owned by root.

For a chroot process to start successfully, you must populate the chroot directory with all required program files, configuration files, device nodes, and shared libraries at their expected locations relative to the level of the chroot directory.

Running DNS and FTP Services in a Chroot Jail

If the DNS name service daemon (named) runs in a chroot jail, any hacker that accesses a system by using a BIND exploit is isolated to the files under the chroot jail directory. Installing the bind-chroot package creates the /var/named/chroot directory, which becomes the chroot jail for all BIND files.

You can configure the vsftpd FTP server to automatically start chroot jails for clients. By default, anonymous users are placed in a chroot jail. However, local users that access an vsftpd FTP server are placed in their home directory. Specify the chroot_local_user=YES option in the /etc/vsftpd/vsftpd.conf file to place local users in a chroot jail based on their home directory.

Creating a Chroot Jail

To create a chroot jail:

  1. Create the directory that becomes the root directory of the chroot jail, for example: 

    sudo mkdir /home/oracle/jail

  2. Use the ldd command to decide which libraries are required by the command that you intend to run in the chroot jail, for example /usr/bin/bash: 

    sudo ldd /usr/bin/bash

    The following output is displayed: 

    linux-vdso.so.1 (0x00007fffa5726000)
libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007f29127fa000)
libc.so.6 => /lib64/libc.so.6 (0x00007f29125f1000)
/lib64/ld-linux-x86-64.so.2 (0x00007f291298c000)

    Note:

    Although the path is displayed as /lib64, the actual path is /usr/lib64 because /lib64 is a symbolic link to /usr/lib64. Similarly, /bin is a symbolic link to /usr/bin. You need to re-create such symbolic links within the chroot jail.

  3. Create subdirectories of the chroot jail's root directory that have the same relative paths as the command binary and its required libraries in the real root directory, for example: 

    sudo mkdir -p /home/oracle/jail/usr/bin
    sudo mkdir -p /home/oracle/jail/usr/lib64

  4. Create the symbolic links that link to the binary and library directories in the same manner as the symbolic links that exists in the real root directory, for example: 

    sudo ln -s /home/oracle/jail/usr/bin /home/oracle/jail/bin
    sudo ln -s /home/oracle/jail/usr/lib64 /home/oracle/jail/lib64

  5. Copy the binary and the shared libraries to the directories under the chroot jail's root directory, for example: 

    sudo cp /usr/bin/bash /home/oracle/jail/usr/bin
    sudo cp /usr/lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/oracle/jail/usr/lib64

Using a Chroot Jail

To run a command in a chroot jail within an existing directory (chroot_jail), use the following command: 

sudo chroot chroot_jail command

If you don't specify a command argument, chroot runs with the value of the SHELL environment variable, or /usr/bin/sh if SHELL isn't set.

For example, you could run the /usr/bin/bash command in a chroot jail as follows: 

sudo chroot /home/oracle/jail

Note that you can run built-in shell commands such as pwd in this shell, but not other commands unless you have copied their binaries and any required shared libraries to the chroot jail.

For more information, see the chroot(1) manual page.