LSA2 - 02 chrooting
Upcoming SlideShare
Loading in...5
×
 

LSA2 - 02 chrooting

on

  • 2,338 views

What is chroot and how to use it.

What is chroot and how to use it.

Statistics

Views

Total Views
2,338
Views on SlideShare
176
Embed Views
2,162

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 2,162

http://training.iseca.org 2162

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

LSA2 - 02 chrooting LSA2 - 02 chrooting Presentation Transcript

  • Chrooting...
  • / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  • / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  • / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  • ● Different software requirements
  • Different software requirements ● Isolation (new software, new bugs) ●
  • Different software requirements ● Isolation (new software, new bugs) ● Security ●
  • Chroot before starting the app Chroot within the application
  • The system call man 2 chroot SYNOPSIS #include <unistd.h> int chroot(const char *path);
  • FTP Runs privileged child Chroot to restrict FS access child Chroot within the  application Chroot to restrict FS access / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | / - start a new child - change the root to ~/ani - change dir to / /home/ani - listing files in / will result in listing the files within /home/ani Note: does not require any libraries or special setup
  • Chroot before starting the app man [1] chroot SYNOPSIS chroot [OPTION] NEWROOT [CMD [ARG]...] chroot OPTION - chroot requires /bin/sh - all binaries within the chroot have to have their shared libraries
  • Find all shared libraries for a binary $ ldd /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
  • How to use the Linux linker $ /lib/ld-linux.so.2 --list /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
  • How to use the Linux linker Verify that all shared libraries are present in the chrooted environment $ /lib/ld-linux.so.2 --list --library-path /storage/chroot/lib /storage/chroot/bin/bash Warning: Do not forget that shared libraries can also be using other shared libraries.
  • Missing devices?
  • Missing devices? Some applications require basic devices to function: /dev/ zero /dev/null /dev/random /dev/ttyX or pts/X /dev/urandom - terminal access /dev/log - log to syslog (reconfigure the syslog daemon) Note: Do not use MAKEDEV. It creates too many unnecessary devices. Use mknod instead.
  • Installing software in the chroot RPM based distributions Initialize the RPM DB in the chroot(/vm1): # mkdir -p /vm1/var/lib/rpm # rpm --root /vm1 --initdb Install a single RPM in chroot(/vm1): # rpm --root /vm1 -ivh some_package.rpm Install the RPM package manager into the chroot: # yum --installroot=/vm1 install rpm Follow the last step for any other package....
  • Installing software in the chroot Debian based distributions For all of you... use debootstrap. And finally, meet busybox the one tool that has it all :)