What is chroot and how to use it.

1. Chrooting...

2. /
|-bin/
|
|-bash
|
|-home/
|
|-niki/
|
|-pesho/
|
|-ani/
|
|
|-bin/
|
|
|
|-bash
|
|
|
|-ruby
|
|-usr/
|
|-bin/
|
|
|-ruby

3. /
|-bin/
|
|-bash
|
|-home/
|
|-niki/
|
|-pesho/
|
|-ani/
|
|
|-bin/
|
|
|
|-bash
|
|
|
|-ruby
|
|-usr/
|
|-bin/
|
|
|-ruby

4. /
|-bin/
|
|-bash
|
|-home/
|
|-niki/
|
|-pesho/
|
|-ani/
|
|
|-bin/
|
|
|
|-bash
|
|
|
|-ruby
|
|-usr/
|
|-bin/
|
|
|-ruby

6. ●
Different software requirements

7. Different software requirements
● Isolation (new software, new bugs)
●

8. Different software requirements
● Isolation (new software, new bugs)
● Security
●

9. Chroot before
starting the app
Chroot within
the application

10. The system call
man 2 chroot
SYNOPSIS
#include <unistd.h>
int chroot(const char *path);

11. FTP
Runs privileged
child
Chroot to restrict FS access
child
Chroot within the
application
Chroot to restrict FS access
/
|-bin/
|
|-bash
|
|-home/
|
|-niki/
|
|-pesho/
|
|-ani/
|
/
- start a new child
- change the root to ~/ani
- change dir to /
/home/ani
- listing files in / will result
in listing the files within /home/ani
Note: does not require any
libraries or special setup

12. Chroot before starting the app
man [1] chroot
SYNOPSIS
chroot [OPTION] NEWROOT [CMD [ARG]...]
chroot OPTION
- chroot requires /bin/sh
- all binaries within the chroot have to
have their shared libraries

13. Find all shared libraries for a binary
$ ldd /bin/bash
linux-gate.so.1 (0xb775c000)
libtermcap.so.2 => /lib/libtermcap.so.2
(0xb7726000)
libdl.so.2 => /lib/libdl.so.2 (0xb7721000)
libc.so.6 => /lib/libc.so.6 (0xb7596000)
/lib/ld-linux.so.2 (0xb775d000)

14. How to use the Linux linker
$ /lib/ld-linux.so.2 --list /bin/bash
linux-gate.so.1 (0xb775c000)
libtermcap.so.2 => /lib/libtermcap.so.2
(0xb7726000)
libdl.so.2 => /lib/libdl.so.2 (0xb7721000)
libc.so.6 => /lib/libc.so.6 (0xb7596000)
/lib/ld-linux.so.2 (0xb775d000)

15. How to use the Linux linker
Verify that all shared libraries are present in the
chrooted environment
$ /lib/ld-linux.so.2
--list
--library-path /storage/chroot/lib
/storage/chroot/bin/bash
Warning: Do not forget that shared
libraries can also be using other
shared libraries.

16. Missing devices?

17. Missing devices?
Some applications require basic devices to
function:
/dev/ zero /dev/null /dev/random
/dev/ttyX or pts/X
/dev/urandom
- terminal access
/dev/log - log to syslog (reconfigure the syslog
daemon)
Note: Do not use MAKEDEV. It creates too many
unnecessary devices. Use mknod instead.

18. Installing software in the chroot
RPM based distributions
Initialize the RPM DB in the chroot(/vm1):
# mkdir -p /vm1/var/lib/rpm
# rpm --root /vm1 --initdb
Install a single RPM in chroot(/vm1):
# rpm --root /vm1 -ivh some_package.rpm
Install the RPM package manager into the chroot:
# yum --installroot=/vm1 install rpm
Follow the last step for any other package....

19. Installing software in the chroot
Debian based distributions
For all of you... use debootstrap.
And finally, meet busybox the one tool that has it
all :)