Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK, I've got this chroot jail all set up. I try to run firefox in it (with KDE running locally), and get the message:
"Gtk-WARNING ** cannot open display: "
I know I have to invoke firefox with --display= something. I probably also have to set the DISPLAY environmental variable to something as well. But I've tried all kinds of combinations, and can't get it to work in the chroot jail.
Normally, you should have all dependencies in your jail at the right place.
You can find dependencies via 'ldd'
add: ldd isn't the right way to go. On my slackware, it doesn't actually show all the needed libraries for su. With strace, I got much better results.
Yes, all the dependencies are there. I put a full backup of my system in the jail (I know that's not a good idea for a production system, but once I get it working at all I'll prune it down)
I'm sure it has to do with setting the X Windows output display, and specifying the output display. I believe that when an XApp is run locally, the display is a socket, but in a chroot jail I need to specify the output display using TCP.
I know what the problem is. I start KDE with a script which invokes startx. The script calls startx with -nolisten TCP.
This causes a problem because, in order for a chroot jail process to talk to the x server, it must use TCP (it cannot use sockets as can 'local' processes).
you can't run 2 different x-servers so you will have to --bind the correct directories and give chroot access to service information, it should use the DISPLAY configuration and X-server from the host Operating System... I started working on doing this a while back and pretty much did the same thing as you.. Just build the most simple linux framework as you can and bind just the necessary directories, create a user for mozilla and install only for that user, do not give that user permission to modify any of the binded directories and set the chroot size so downloads, tempfiles and all the browser stuff don't takeup more space than you would like to give it.. So many reasons why to do it exactly how is the question.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.