Chrooting daemons and system processes HOW-TO
The command/function chroot is short for 'change root', and is designed to change the filesystem root for the environment it is applied to. This means the initial slash (/) in any path names are made relative to the chrooted path. For example, if a file called: /home/jonz/hello.txt exists on the system, and then I chrooted to /home/jonz, the file would then exist, in my chrooted environment, as: /hello.txt
The purpose of chrooting is designed to create an impenetrable (theoretically) "jail" protecting what is being chrooted from being able to read or modify any files outside of the chrooted environment. In the example above, I would be unable to access any files outside of /home/jonz, since / is now pointing to /home/jonz. Chrooting is commonly used to jail users in multiuser environments to protect system files. Chrooting can also be used to jail system daemons to help prevent them from being viable targets for hackers. If a hacker should exploit a vulnerability in a chrooted system daemon, their ability to affect files outside of the jail, or obtain a root shell is significantly more difficult. One big reason for this is that a shell is no longer part of the environment's path, so even if the hacker blows the stack away there's no shell to drop to. Many people have claimed to be able to break out of a chrooted jail, but in many cases it was from a shell (which doesn't exist in our case). Breaking out of a daemon-environment jail is at the very least, extremely difficult.
[ Read more ]
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.