Title: Chrooting software in Linux

KBTAG: kben10000031
URL: http://www.securityportal.com/lskb/10000000/kben10000031.html
Date created: 13/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: General guidelines on chrooting network daemons in Linux
Keywords: Servers,Software/Chroot

Summary:

Chrooting network servers can be a very worthwhile task, and very painful if you are unsure of what you are doing. There are a number of techniques and tools that can make chrooting network daemons significantly easier. One thing to keep in mind however is that a chrooted daemon, running as root can typically break out of it's "prison" so you should run it as a non root user if at all possible.

More information:

The first step is to create a directory to relocate the software to, something like /chroot/servicename/ and then to populate it with the required software/data. Using rpm you can relocate packages using --root and --dbpath so it can find the database, with dpkg use -x. If installing from source code you may opt to compile binaries statically instead of using libraries (this makes chrooting easier, but upgrades more difficult). There exist a number of tools to check package dependencies, using them (and options like --force) you can easily populate the chroot directory with needed libraries and other items the software needs. If you want to be somewhat selective, and avoid the shotgun approach then your best bet is "ldd" which lists libraries that a binary requires, combined with reading manual pages and watching the error messages as the program in question fails to find configuration files and other needed files.

Logging from within a chrooted environment can be problematic, there are several options:

Downloads:

http://www.cse.ogi.edu/DISC/projects/independence/ - Independence, checks RPM dependencies

http://madhouse.lonyay.edu.hu/ - dep.pl

References:

http://www.faqs.org/faqs/unix-faq/socket/index.html - UNIX sockets FAQ