LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 05-10-2010, 01:48 PM   #1
johnsfine
Guru
 
Registered: Dec 2007
Distribution: Centos
Posts: 5,109

Rep: Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114
How to make a chroot non jail?


I want to know how to prepare (before issuing the chroot command) directory links out of a chroot environment.

I have done a bunch of reading, but not yet experimenting, about chroot.

I mostly understand its main purpose of creating an environment in which it is safer to run untrusted software. But I want to use it for some other things, involving trusted software.

I want to create a directory tree in which the various top level directories are links to various directories in the main directory tree. For example, when running on a Debian based 64 bit system (where /lib has 64 bit .so files) I might want to create a root in which /lib links to the directory containing 32 bit .so files (same as /lib32 normally links to).

IIUC, chroot blocks soft links from getting outside. So I could create a directory containing lib as the desired soft link, but if I did chroot to that directory, the link would no longer point where I wanted. Is that correct?

IIUC, I can't do a hard link to a directory. Is that correct?

How would you create a directory link that would point out of a chroot "jail"? (Yes I do understand that is contrary to the common purpose for a chroot).

From reading, again not yet experimenting, I think mounting an aufs might do it. It looks like aufs might be used to mount a directory into another directory. Is that correct? Am I missing some easier way to mount a directory into a directory? Would such an aufs mount link out of the chroot? Or suffer the same fate as a soft link?
 
Old 05-11-2010, 07:20 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,017
Blog Entries: 5

Rep: Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787
You can not create links to outside a jail from within a jail. The whole point in chroot is that the user or process that is jailed sees the directory path you specified as if it is "/" (root). In UNIX/Linux there is nothing above root in the filesystem heirarchy so you can't link to anything above it from within the jail as there ISN'T anything above it from its perspective.

You can however make links FROM outside to within a jail. That is to say sometimes one has a process they want users to login to but jail them so that no matter what they do they can't get outside the jail. This however does not prevent users already on the system (e.g. root) via conventional logins or processes from accessing the root.

So for example you might setup a path /root/jails/billybob and setup user, billybob, so that when he logs in he is using that in a chroot jail fashion and put files in it. So if you were to create /root/jails/billybob/bin then put in say the cp command there then as root user logged into the system you would see that file as /root/jails/billybob/bin/cp. When billybob logs in though he'll see it simply as /bin/cp. He won't know that he is in /root/jails/billybob at all.

As the root user you could make a directory in /root/jails/billybob called transfers then you could make a link called say /mysql/transferfiles to /root/jails/billybob/transfers with:
ln -s /root/jails/billybob/transfers /mysql/transferfiles
You could then allow processes on the server to write to or read from /mysql/transferfiles and billybob on login to the jail would see those files as if they were in /transfers. Note that in this scenario /mysql/transferfiles is the symbolic link.

You can NOT however make the the opposite work:
ln -s /mysql/transferfiles /root/jails/billybob/transfers
That is because even though the chroot'ed user, billybob, will see the symbolic link as /transfers pointing to /mysql/transferfiles he won't see /mysql directory so the link won't be pointing to anything from his perspective.
 
Old 05-11-2010, 07:39 AM   #3
johnsfine
Guru
 
Registered: Dec 2007
Distribution: Centos
Posts: 5,109

Original Poster
Rep: Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114Reputation: 1114
Thankyou for confirming my understanding that I can't do what I want using soft links.

Any comment on the important parts of my question? Other methods getting the desired effect? AUFS or other ways of mounting a directory into a directory (maybe NFS)?
 
Old 05-11-2010, 08:41 AM   #4
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,017
Blog Entries: 5

Rep: Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787
Haven't worked with aufs or unionfs it mentions but on a quick perusal of those pages it appears they might do what you want.

Once you created your filesystem with the directories you want you'd probably still want to chroot yourself to that. If the filesystem exists BEFORE the chroot then the user/process isn't "linking" but rather using something that is "local" within the filesystem. Since I haven't done this I can't be sure but it seems a reasonable supposition.

You might want to post a new thread specifically asking about aufs/unionfs to see if anyone that knows them can give better guidance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
[SOLVED] chroot jail problem: 'empty' jail MatrixS_Master Linux - Security 4 03-27-2010 06:25 AM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM


All times are GMT -5. The time now is 04:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration