FYI: general paper about chrooting

markus1982 · 01-31-2004, 05:20 PM

I've just finished writing a general paper about chrooting. It can be found at http://www.linux-corner.net/linux/papers/chrooting.html - please post your comments on here!

Berhanie · 01-31-2004, 08:22 PM

Sorry I am not expert enough to comment on your paper on a technical level.
I had heard of a "chroot jail" before but, before reading your paper, had only a vague notion of what it was. Thank you for the very illuminating paper.

markus1982 · 02-01-2004, 06:00 AM

Well I am looking for information from people with all kinds of knowledge, so that's fine :-)

unSpawn · 02-02-2004, 02:45 AM

Nice doc Markus. Some remarks. I think you should add a piece on setting up a chroot jail, even if only a generic example. I mean, in my eyes the part isn't complete without it because it's the ultimate goal, right? (Yeah, yeah, I know. That'll mean you'll have to write about apps that can't be or are hard to chroot, Glibc, NSS, user/group auth, linkage, (root-owned) socket binding, linux_capabilities, etc etc, but IIRC you could collate nfo from docs (you) posted on LQ). I think it also would be good to list the ways to get out of a chroot (sXid apps, /proc, device or kernelmem access) or provide linkage, because it's an essential part of securing a chroot and chroots being set up for security, list some chroot SW (jail, compartiment?) or provide links.

//mental note, if you're talking about checking, don't forget about the top inode:

Code:

int main(int argc, char **argv) {
  struct stat x;

  if (stat("/", &x)) {
    printf("Unable to stat /");
    exit(EXIT_FAILURE);
  }

  if (x.st_ino==2) {
    printf("I am not chrooted or chrooted on a mountpoint\n");
  } else {
    printf("I am chrooted\n");
  }
  exit(EXIT_SUCCESS);
}

HF

markus1982 · 02-04-2004, 05:52 AM

Quote:

Originally posted by unSpawn
Nice doc Markus. Some remarks. I think you should add a piece on setting up a chroot jail, even if only a generic example. I mean, in my eyes the part isn't complete without it because it's the ultimate goal, right? (Yeah, yeah, I know. That'll mean you'll have to write about apps that can't be or are hard to chroot, Glibc, NSS, user/group auth, linkage, (root-owned) socket binding, linux_capabilities, etc etc, but IIRC you could collate nfo from docs (you) posted on LQ). I think it also would be good to list the ways to get out of a chroot (sXid apps, /proc, device or kernelmem access) or provide linkage, because it's an essential part of securing a chroot and chroots being set up for security, list some chroot SW (jail, compartiment?) or provide links.

//mental note, if you're talking about checking, don't forget about the top inode:

Code:

int main(int argc, char **argv) { struct stat x; if (stat("/", &x)) { printf("Unable to stat /"); exit(EXIT_FAILURE); } if (x.st_ino==2) { printf("I am not chrooted or chrooted on a mountpoint\n"); } else { printf("I am chrooted\n"); } exit(EXIT_SUCCESS); }

HF

First of all: THANK YOU VERY MUCH FOR YOUR FEEDBACK!

Well I thought to have the paper without a complete example (since the how to chroot part is more or less an "example" of the steps involved). I more thought about adding another service setup tutorial keeping chrooting in mind and relying on the basics of that paper.

About breaking chroots, there is a link to that at the FAQ area ... do you have any other links to be added and expand it? :-)

unSpawn · 02-18-2004, 06:18 PM

do you have any other links to be added and expand it?
Checked out the LQ FAQ: Security references, post #4? :-]

deepsix · 02-21-2004, 01:41 PM

Thank you ....... Ive been looking for more up to date info like this........great work
and I agree with Berhanie and unSpawn about chroot jail....