Help!! How to use Chroot on Redhat 7.2

eluo1996 · 09-26-2003, 05:12 PM

Hi all,

Help?

How to use Chroot on Redhat 7.2?

Thanks in advance

glennb0665 · 09-26-2003, 11:06 PM

Since you didn't say what you wanted to chroot, I will describe chrooting /bin/bash

First you must create a directory to change root to. This is often referred to as a chroot jail.

All commands need to be run as root to create the chroot jail.

mkdir /home/jail
cd /home/jail

You should probably pick a filesystem that won't cause system problems if it fills up, alternatively you can put quotas on the directory. It is possible for the process running in the jail will run away and fill up available space.

Now we should create an environment for the jail and the shell

mkdir bin etc lib
chmod 755 bin etc lib
chown root:root bin etc lib

Create a file called profile with your favorite editor and put the following in it. This file should be placed in the etc directory in the jail.

# profile
# Where can commands be found
PATH=/bin
# Set commands to safe settings
alias rm='rm -i'
alias mv='mv -i'

export PATH

Now you need to populate the jail's bin directory with some commands. These commands should be statically linked, otherwise you will have to also copy in the required libraries into your jail.

If you want/need to use dynamically linked binaries, you should use the ldd command to identify the libs you will need.

ex. ldd /bin/bash

libtermcap.so.2 => /lib/libtermcap.so.2 (0x4002b000)
libdl.so.2 => /lib/libdl.so.2 (0x40030000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

copy libtermcap.so.2 libdl.so.2 libc.so.6 and ld-linux.so.2 to the lib directory in your jail.

I decided to put ls rm mv and cp into the jail. I ran ldd on all these commands and found I didn't need any additional libs

so I copied the binaries into my bin directory

cp /bin/rm /bin/ls /bin/mv /bin/cp /bin/bash ./bin

I also created a world writable directory in the jail.

mkdir public
chmod 777 public

and finally, I ran chroot:

chroot /home/jail /bin/bash --login

As you try out the environment, you will find out it's not particularly useful since we didn't put a lot of commands in the jail. Another thing to note is that you are still root in the jail (albeit with almost no power)

Based upon the process you put in the jail, you will probably need to expand the environment to suite the process. Some things to think about are a var directory and commands that make the jail useful.

Hopefully this get's you started.

-Glenn

unSpawn · 09-28-2003, 08:25 AM

If you're using "busybox" you get a (static) binary with all the necessary system utils rolled into one. Saves time finding dependencies.

Glennb0665 showed he didn't mount /proc inside the jail. Unless (and even then) you're running extra kernel protection like Grsecurity or LIDS it is not advisable to mount /proc inside a jail.

Another thing to note is that you are still root in the jail
That's an auth thing, set it up properly in /etc/passwd (and the jails passwd) and you should be an unprivileged user.

mkdir public; chmod 777 public
This should be mode 1777 to let only the owner delete.

In the "FAQ: Security references" thread there's much more on chrooting, see post 4 "Chroot, chrooting, jailing, comparimization".

eluo1996 · 09-29-2003, 08:07 AM

I did everything what you told me, everything was ok. But after I reboot the machine, everything is back to normal. I have to run chroot again.

Any idea?

Thank you very much for help!

glennb0665 · 09-30-2003, 09:40 AM

If you don't mind my asking, what application are you using this for? The instructions above are fairly generic.

For instance, if you are trying to run a Bind DNS server in a chroot jail, there are some special things you should do.

If you expect your application to start in a chroot jail upon boot up, you will probably need to modify it's start up script, typically in /etc/rc.d/init.d.

The line in the script that starts the application should be modified to execute it in a chroot jail.

ex:

/usr/sbin/somedaemon -someoption

might change to:

chroot /home/jail /usr/sbin/somedaemon -someoption

I strongly recommend you make a backup copy of any start-up scripts before you start modifying them. Trust me, you'll be happier if you do

-Glenn

eluo1996 · 10-01-2003, 02:03 PM

Thank you very much!!!

secret_ident · 01-05-2004, 09:21 PM

when I created it, I get a bash file in there, no folder.
so I get these errors

[root@localhost oxide]# chroot /home/shell/oxide /bin/bash --login
chroot: /bin/bash: No such file or directory

so I add a bash folder and I still get an error
[root@localhost oxide]# chroot /home/shell/oxide /bin/bash --login
chroot: /bin/bash: Permission denied

why is this?