LSA2 - 02 chrooting

3,016 views
2,957 views

Published on

What is chroot and how to use it.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,016
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

LSA2 - 02 chrooting

  1. 1. Chrooting...
  2. 2. / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  3. 3. / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  4. 4. / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  5. 5. ● Different software requirements
  6. 6. Different software requirements ● Isolation (new software, new bugs) ●
  7. 7. Different software requirements ● Isolation (new software, new bugs) ● Security ●
  8. 8. Chroot before starting the app Chroot within the application
  9. 9. The system call man 2 chroot SYNOPSIS #include <unistd.h> int chroot(const char *path);
  10. 10. FTP Runs privileged child Chroot to restrict FS access child Chroot within the  application Chroot to restrict FS access / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | / - start a new child - change the root to ~/ani - change dir to / /home/ani - listing files in / will result in listing the files within /home/ani Note: does not require any libraries or special setup
  11. 11. Chroot before starting the app man [1] chroot SYNOPSIS chroot [OPTION] NEWROOT [CMD [ARG]...] chroot OPTION - chroot requires /bin/sh - all binaries within the chroot have to have their shared libraries
  12. 12. Find all shared libraries for a binary $ ldd /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
  13. 13. How to use the Linux linker $ /lib/ld-linux.so.2 --list /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
  14. 14. How to use the Linux linker Verify that all shared libraries are present in the chrooted environment $ /lib/ld-linux.so.2 --list --library-path /storage/chroot/lib /storage/chroot/bin/bash Warning: Do not forget that shared libraries can also be using other shared libraries.
  15. 15. Missing devices?
  16. 16. Missing devices? Some applications require basic devices to function: /dev/ zero /dev/null /dev/random /dev/ttyX or pts/X /dev/urandom - terminal access /dev/log - log to syslog (reconfigure the syslog daemon) Note: Do not use MAKEDEV. It creates too many unnecessary devices. Use mknod instead.
  17. 17. Installing software in the chroot RPM based distributions Initialize the RPM DB in the chroot(/vm1): # mkdir -p /vm1/var/lib/rpm # rpm --root /vm1 --initdb Install a single RPM in chroot(/vm1): # rpm --root /vm1 -ivh some_package.rpm Install the RPM package manager into the chroot: # yum --installroot=/vm1 install rpm Follow the last step for any other package....
  18. 18. Installing software in the chroot Debian based distributions For all of you... use debootstrap. And finally, meet busybox the one tool that has it all :)

×