Chrooting daemons and system processes HOW-TO

Monday, 21 October 2002, 12:15 PM EST

The command/function chroot is short for 'change root', and is designed to change the filesystem root for the environment it is applied to. This means the initial slash (/) in any path names are made relative to the chrooted path. For example, if a file called: /home/jonz/hello.txt exists on the system, and then I chrooted to /home/jonz, the file would then exist, in my chrooted environment, as: /hello.txt

The purpose of chrooting is designed to create an impenetrable (theoretically) "jail" protecting what is being chrooted from being able to read or modify any files outside of the chrooted environment. In the example above, I would be unable to access any files outside of /home/jonz, since / is now pointing to /home/jonz. Chrooting is commonly used to jail users in multiuser environments to protect system files. Chrooting can also be used to jail system daemons to help prevent them from being viable targets for hackers. If a hacker should exploit a vulnerability in a chrooted system daemon, their ability to affect files outside of the jail, or obtain a root shell is significantly more difficult. One big reason for this is that a shell is no longer part of the environment's path, so even if the hacker blows the stack away there's no shell to drop to. Many people have claimed to be able to break out of a chrooted jail, but in many cases it was from a shell (which doesn't exist in our case). Breaking out of a daemon-environment jail is at the very least, extremely difficult.

[ Read more ]




Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //