Its all about Chroot
UNIX file system
About unix file system
Unix file system organized as a tree structure. Filesystem Hierarchy Standard (FHS)
defines the structure of file systems on unix. Everything in Unix is considered to be a file, including physical devices such as DVD-ROMs, USB devices, floppy drive and etc.
UNIX file system hierarchy
Every Unix file system has a root(/)
directory. This is the base of the file system. Root directory contains sub directories like usr
, bin
, home
, dev
, boot
. Each and every these directories contains their own sub directories and so on.
This file system identifies as root file system.
Chroot
About chroot
Creating new root file system inside existing file system known as change root or chroot
. A process/command that is run in this new environment cannot access files outside the root directory. This modified environment is commonly known as jailed directory
or chroot jail
.
Advantages of chroot
- Setup test environments
- Run programs in independent environments(for an example run old programs, without crashing the system)
- Reinstall bootloader(grub, lilo etc)
- System recovery
- Password recovery
Chroot() system call
Chroot can be done via chroot()
system call. The chroot() system call is only available to the root user. A non-root user cannot execute a chroot() call
Create chroot environment
Scenario
In here I’m gonna describe the basic steps to create a jail. From another post I hoping to cover how install nginx
and apache
with chroot.
Create isolated environment
First needs to create isolated directory. This is our chroot jail directory.
Chroot the jail directory
Create chroot environment in jail directory.
When first time executing this command it will gives following error
This is due to chroot wasn't able to find the bash shell. This highlights an important concept of creating a new root file system. The new file system has no access to anything from the original file system, including any commands.
Copy bash and libraries to jail directory
Bash exists in /bin/bash
copy it to jail/bin/bash
and try to chroot again.
It still failing. This is due to dynamic libraries used by bin/bash
. To execute a command in chroot environment, all libraries(dynamic libraries) used by a command must also be copied to the chroot jail.
Copy dynamic libraries
We need to identify the libraries used by the command first. Following is the way to view the libraries used by a command.
Following are the libraries used by /bin/bash
command.
Copy these libraries to new jail environment’s lib
and lib64
.
Finally it works.
Now you are in a new jail environment. This is fresh linux root directory. Have nothing on it even ls
command.
You have to setup/install all the required packages manually in here. Let’s copy ls command and libraries.
Now ls
command should work inside our new chroot jail.