UP | HOME
../../ | NoSlides

SysCall chroot

1 Background

  1. Prerequisite: Libcalls v syscalls.
  2. Read through man syscalls and man chroot + man 2 chroot

2 Usage/ Semantics of chroot

  1. The word root here is about the root of a directory hierarchy, not the super-user.
  2. Before entering the chroot a number of directories need to be mounted. Some basic configuration files will need to be copied from the host.
# mount -t proc /proc /mnt/mychroot/proc
# mount --rbind /dev /mnt/mychroot/dev
# mount --rbind /sys /mnt/mychroot/sys
# mount --rbind /tmp /mnt/mychroot/tmp
# cp /etc/resolv.conf /mnt/mychroot/etc

Then, invoke # chroot /mnt/mychroot /bin/bash

2.1 Full Path Names

  1. Full path names begin with the / (the slash).
  2. Consider the file/dir hierarchy preferably with multiple mounts.
  3. chroot can re-locate the root directory of a full path name to any directory on this hierarchy.
  4. Consider a process with PID 12345. Examine /proc/12345/root This will be a symbolic link to the "root" dir of this process.

2.2 Goal: Chroot Jail

  1. Having chroot-ed, /../ becomes illegal. This brought us the term "chroot jail". "First Gen Sandbox"

2.3 Man Pages?!

  1. Man pages do their best, but are not always unambiguous or definitive.
  2. man chroot has the following at the top: "chroot - run command or interactive shell with special root directory".
    1. This is way too ambiguous.

2.4 Root Only?

  1. The chroot system call is only available to the root user. A non-root user cannot execute a chroot() call.
  2. Any process having done a chroot ought to drop its privileges to run as nobody or an otherwise unknown user.
  3. Computer System Security, Lecture 4, https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/lecture-notes/MIT6_858F14_lec4.pdf 8pp
  4. "On Safes, Sandboxes, and Spies", CS 161 : Computer Security, Lecture 5, https://inst.eecs.berkeley.edu/~cs161/fa16/slides/lec5.pdf 33 slides, 2016.

3 References

  1. https://en.wikipedia.org/wiki/Chroot Required Reading
  2. https://lwn.net/Articles/252794/ 2007 What chroot() is really for. Required Reading
  3. https://wiki.gentoo.org/wiki/Chroot Required Reading

4 End

Copyright © 2018 www.wright.edu/~pmateti • 2018-12-05