Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-19-2005, 09:04 PM   #1
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Rep: Reputation: 15
How to run firefox in a chroot jail?

OK, I've got this chroot jail all set up. I try to run firefox in it (with KDE running locally), and get the message:

"Gtk-WARNING ** cannot open display: "

I know I have to invoke firefox with --display= something. I probably also have to set the DISPLAY environmental variable to something as well. But I've tried all kinds of combinations, and can't get it to work in the chroot jail.

Thanks in advance.
Old 01-20-2005, 06:31 AM   #2
Senior Member
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
Don't you have to put all the dependenceies of Firefox in the jail too? If so, I would thank that you would need KDE, GTK and X in the jail.
Old 01-20-2005, 09:16 AM   #3
Registered: Apr 2004
Location: Belgium Antwerpen
Distribution: slackware - knoppix
Posts: 141

Rep: Reputation: 18
Normally, you should have all dependencies in your jail at the right place.
You can find dependencies via 'ldd'
add: ldd isn't the right way to go. On my slackware, it doesn't actually show all the needed libraries for su. With strace, I got much better results.

Last edited by ldp; 01-20-2005 at 02:56 PM.
Old 01-20-2005, 10:29 AM   #4
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
Yes, all the dependencies are there. I put a full backup of my system in the jail (I know that's not a good idea for a production system, but once I get it working at all I'll prune it down)

I'm sure it has to do with setting the X Windows output display, and specifying the output display. I believe that when an XApp is run locally, the display is a socket, but in a chroot jail I need to specify the output display using TCP.
Old 01-20-2005, 02:45 PM   #5
Registered: Jun 2003
Location: Denver, CO
Distribution: Debian
Posts: 95

Original Poster
Rep: Reputation: 15
I know what the problem is. I start KDE with a script which invokes startx. The script calls startx with -nolisten TCP.

This causes a problem because, in order for a chroot jail process to talk to the x server, it must use TCP (it cannot use sockets as can 'local' processes).
Old 07-20-2012, 03:24 PM   #6
LQ Newbie
Registered: Oct 2011
Posts: 19

Rep: Reputation: Disabled
--bind services and dev directories

you can't run 2 different x-servers so you will have to --bind the correct directories and give chroot access to service information, it should use the DISPLAY configuration and X-server from the host Operating System... I started working on doing this a while back and pretty much did the same thing as you.. Just build the most simple linux framework as you can and bind just the necessary directories, create a user for mozilla and install only for that user, do not give that user permission to modify any of the binded directories and set the chroot size so downloads, tempfiles and all the browser stuff don't takeup more space than you would like to give it.. So many reasons why to do it exactly how is the question.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration