Chrooting...

/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/| | |-bin/| | | |-bash| | | |-ruby||-usr/| |-bin/| | |-ruby

/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/| | |-bin/| | | |-bash| | | |-ruby||-usr/| |-bin/| | |-ruby

/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/| | |-bin/| | | |-bash| | | |-ruby||-usr/| |-bin/| | |-ruby

Different software requirements

Different software requirements

Isolation (new software, new bugs)

Different software requirements

Isolation (new software, new bugs)

Security

Chroot within the application

Chroot beforestarting the app

The system call

man 2 chroot

SYNOPSIS #include

int chroot(const char *path);

Chroot within the application

/- start a new child- change the root to ~/ani- change dir to //home/ani- listing files in / will resultin listing the files within /home/ani

Note: does not require any libraries or special setup

/|-bin/| |-bash||-home/| |-niki/| |-pesho/| |-ani/|

FTPRuns privileged

childChroot to restrict FS access

childChroot to restrict FS access

Chroot before starting the app

man [1] chroot

SYNOPSIS chroot [OPTION] NEWROOT [CMD [ARG]...] chroot OPTION

- chroot requires /bin/sh- all binaries within the chroot have to have their shared libraries

Find all shared libraries for a binary

$ ldd /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)

How to use the Linux linker

$ /lib/ld-linux.so.2 --list /bin/bash linux-gate.so.1 (0xb775c000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7726000) libdl.so.2 => /lib/libdl.so.2 (0xb7721000) libc.so.6 => /lib/libc.so.6 (0xb7596000) /lib/ld-linux.so.2 (0xb775d000)

How to use the Linux linker

Verify that all shared libraries are present in the chrooted environment

$ /lib/ld-linux.so.2 \--list \--library-path /storage/chroot/lib \/storage/chroot/bin/bash

Warning: Do not forget that sharedlibraries can also be using other shared libraries.

Missing devices?

Missing devices?

Some applications require basic devices to function:

/dev/zero/dev/null/dev/random/dev/urandom

/dev/ttyX or pts/X- terminal access

/dev/log - log to syslog (reconfigure the syslog daemon)

Note: Do not use MAKEDEV. It creates too many unnecessary devices. Use mknod instead.

Installing software in the chroot

RPM based distributionsInitialize the RPM DB in the chroot(/vm1):# mkdir -p /vm1/var/lib/rpm# rpm --root /vm1 --initdb

Install a single RPM in chroot(/vm1):# rpm --root /vm1 -ivh some_package.rpm

Install the RPM package manager into the chroot:# yum --installroot=/vm1 install rpmFollow the last step for any other package....

Installing software in the chroot

Debian based distributionsFor all of you... use debootstrap.

And finally, meet busybox the one tool that has it all :)