Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LSA2 - 02 chrooting

3,312 views

Published on

What is chroot and how to use it.

Published in: Education
  • Be the first to comment

  • Be the first to like this

LSA2 - 02 chrooting

  1. 1. Chrooting...
  2. 2. / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  3. 3. / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  4. 4. / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | | |-bin/ | | | |-bash | | | |-ruby | |-usr/ | |-bin/ | | |-ruby
  5. 5. ● Different software requirements
  6. 6. Different software requirements ● Isolation (new software, new bugs) ●
  7. 7. Different software requirements ● Isolation (new software, new bugs) ● Security ●
  8. 8. Chroot before starting the app Chroot within the application
  9. 9. The system call man 2 chroot SYNOPSIS #include <unistd.h> int chroot(const char *path);
  10. 10. FTP Runs privileged child Chroot to restrict FS access child Chroot within the  application Chroot to restrict FS access / |-bin/ | |-bash | |-home/ | |-niki/ | |-pesho/ | |-ani/ | / - start a new child - change the root to ~/ani - change dir to / /home/ani - listing files in / will result in listing the files within /home/ani Note: does not require any libraries or special setup
  11. 11. Chroot before starting the app man [1] chroot SYNOPSIS chroot [OPTION] NEWROOT [CMD [ARG]...] chroot OPTION - chroot requires /bin/sh - all binaries within the chroot have to have their shared libraries
  12. 12. Find all shared libraries for a binary $ ldd /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
  13. 13. How to use the Linux linker $ /lib/ld-linux.so.2 --list /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)
  14. 14. How to use the Linux linker Verify that all shared libraries are present in the chrooted environment $ /lib/ld-linux.so.2 --list --library-path /storage/chroot/lib /storage/chroot/bin/bash Warning: Do not forget that shared libraries can also be using other shared libraries.
  15. 15. Missing devices?
  16. 16. Missing devices? Some applications require basic devices to function: /dev/ zero /dev/null /dev/random /dev/ttyX or pts/X /dev/urandom - terminal access /dev/log - log to syslog (reconfigure the syslog daemon) Note: Do not use MAKEDEV. It creates too many unnecessary devices. Use mknod instead.
  17. 17. Installing software in the chroot RPM based distributions Initialize the RPM DB in the chroot(/vm1): # mkdir -p /vm1/var/lib/rpm # rpm --root /vm1 --initdb Install a single RPM in chroot(/vm1): # rpm --root /vm1 -ivh some_package.rpm Install the RPM package manager into the chroot: # yum --installroot=/vm1 install rpm Follow the last step for any other package....
  18. 18. Installing software in the chroot Debian based distributions For all of you... use debootstrap. And finally, meet busybox the one tool that has it all :)

×