{"id":88140,"date":"2020-10-13T16:00:30","date_gmt":"2020-10-13T13:00:30","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it\/"},"modified":"2020-10-13T16:00:30","modified_gmt":"2020-10-13T13:00:30","slug":"what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it\/","title":{"rendered":"#What Is chroot on Linux and How Do You Use It? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3d7e28e7910\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3d7e28e7910\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it\/#What_Does_chroot_Do\" >What Does chroot Do?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it\/#What_is_chroot_Used_For\" >What is chroot Used For?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it\/#Sending_Processes_to_Jail\" >Sending Processes to Jail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-chroot-on-linux-and-how-do-you-use-it-cloudsavvy-it\/#Can_Process_Escape_The_Jail\" >Can Process Escape The Jail?<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What Is chroot on Linux and How Do You Use It? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7336\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/9f3f2d78cf7a7d2092a96cc369ae8756\/p\/uploads\/2019\/07\/b9c7acd7.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The chroot Linux utility can modify the working root directory for a process, limiting access to the rest of the file system. This is usually done for security, containerization, or testing, and is often called a \u201cchroot jail.\u201d<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_Does_chroot_Do\"><\/span>What Does chroot Do?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Chroot does one thing\u2014run a command with a different root directory. The command being run has no idea that anything outside of its jail exists, as it doesn\u2019t have any links to it, and as far as it\u2019s aware, is running on the root filesystem anyway. There\u2019s nothing\u00a0<em>above<\/em> root, so the command can\u2019t access anything else.<\/p>\n<p>Chroot doesn\u2019t make any modifications to your disk, but it can make it <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ear that way from the point of view of the processes running under it. Chrooting a process accomplishes the same thing as changing the mount namespace for a process, but does so at a higher level than namespace modification.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What_is_chroot_Used_For\"><\/span>What is chroot Used For?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The main thing <code>chroot<\/code> is used for is locking away system daemons so that any security vulnerabilities in those daemons don\u2019t affect the rest of the system. For example, Postfix, a mail agent, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.linuxtopia.org\/online_books\/mail_systems\/postfix_documentation\/BASIC_CONFIGURATION_README_010.html\">can be configured<\/a> to run inside a chrooted environment with limited access to the directories it uses to communicate with the system. This way, if a bug is found in Postfix, it affects Postfix, and not anything else.<\/p>\n<p>This is pretty useful for a service like FTP. If you want to offer remote users access to parts of your system, chrooting the process is an easy way to lock down access.<\/p>\n<p>It\u2019s also useful as a \u201cbudget container,\u201d to create a subset of your operating system and run\u00a0apps in an isolated environment, be it for testing, security, or ease of development. But since <code>chroot<\/code>\u00a0requires you to manually copy over application dependencies into the jail, it\u2019s not suitable for everything. A process that needs to access and interact with user-level resources would not work well inside a chroot jail, or would require extra configuration that may make the whole setup more insecure. But, even complicated apps like Apache and <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/flylib.com\/books\/en\/2.220.1\/running_mysql_in_a_chrooted_environment.html\">MySQL<\/a>\u00a0can be run inside a chrooted environment with all dependencies accounted for.<\/p>\n<p>While a <code>chroot<\/code>\u00a0jail is an added layer of security, <code>chroot<\/code>\u00a0shouldn\u2019t be your only security tool. Breaking out of a jail can be relatively trivial if not configured properly, and a chroot jail only changes the mount location and doesn\u2019t affect the other namespaces. If you want better security, use namespaces, or a containerization engine like <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/docker.io\">Docker<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Sending_Processes_to_Jail\"><\/span>Sending Processes to Jail<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To open a shell inside a jailed directory, you can run:<\/p>\n<pre>sudo chroot \/jail<\/pre>\n<p>However, this command will fail with a newly created <code>\/jail<\/code>\u00a0directory, since <code>chroot<\/code>\u00a0will try to load bash from\u00a0<code>\/jail\/bin\/bash<\/code>. This file doesn\u2019t exist, which is the first problem with <code>chroot<\/code>\u2014you have to build the jail yourself.<\/p>\n<p>For some things, copying them over with <code>cp<\/code>\u00a0is enough:<\/p>\n<pre>cp -a \/bin\/bash \/jail\/bin\/bash<\/pre>\n<p>But this only copies over the bash executable, and not all of its dependencies, which don\u2019t exist in our jail yet. You can list the dependencies for bash with the\u00a0<code>ldd<\/code>\u00a0command:<\/p>\n<pre>ldd $(which bash)&#13;\n    linux-vdso.so.1 (0x00007ffd079a1000)&#13;\n    libtinfo.so.5 =&gt; \/lib\/x86_64-linux-gnu\/libtinfo.so.5 (0x00007f339096f000)&#13;\n    libdl.so.2 =&gt; \/lib\/x86_64-linux-gnu\/libdl.so.2 (0x00007f339076b000)&#13;\n    libc.so.6 =&gt; \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007f339037a000)&#13;\n    \/lib64\/ld-linux-x86-64.so.2 (0x00007f3390eb3000)<\/pre>\n<p>You can copy them over manually:<\/p>\n<pre>cp \/lib\/x86_64-linux-gnu\/libtinfo.so.5 \/jail\/lib\/x86_64-linux-gnu\/&#13;\ncp \/lib\/x86_64-linux-gnu\/libdl.so.2 \/jail\/lib\/x86_64-linux-gnu\/&#13;\ncp \/lib\/x86_64-linux-gnu\/libc.so.6 \/jail\/lib\/x86_64-linux-gnu\/&#13;\ncp \/lib64\/ld-linux-x86-64.so.2 \/jail\/lib64\/<\/pre>\n<p>But this becomes a major hassle to do for every command you may want to run under <code>chroot<\/code>. If you don\u2019t care about your <code>chroot<\/code>\u00a0accessing your actual <code>lib<\/code>\u00a0and <code>bin<\/code>\u00a0directories (without access to the rest of the system), then you can use <code>mount --bind<\/code>\u00a0to provide a link in your jail:<\/p>\n<pre>mount --bind \/bin \/jail\/bin&#13;\nmount --bind \/lib \/jail\/lib&#13;\nmount --bind \/lib64 \/jail\/lib64<\/pre>\n<p>You could also just copy over the entire <code>\/bin<\/code>\u00a0and <code>\/lib<\/code>\u00a0directories, which uses more space, but may be a bit better for security, especially if you\u2019re using <code>chroot<\/code>\u00a0to run unsafe processes that you wouldn\u2019t want messing with your system\u2019s folders.<\/p>\n<p>Now that everything is copied over, you should be able to once again run <code>sudo chroot \/jail<\/code>\u00a0to open bash. Alternatively, you can run any other command by running:<\/p>\n<pre>sudo chroot \/jail command<\/pre>\n<p>If you\u2019re running processes through chroot bash, you can exit the shell with <code>exit<\/code>\u00a0or Control+D, which will stop the running process. Processes running in jail run in their own environment, and don\u2019t have access to other processes on the system.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Can_Process_Escape_The_Jail\"><\/span>Can Process Escape The Jail?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Not easily, unless they\u2019re running as root. Chroot doesn\u2019t block access to low-level system resources (that would require root to access), and as such, a privileged process <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/lwn.net\/Articles\/252794\/\">could easily escape<\/a> a jail.<\/p>\n<p>It is possible for non-privileged processes to break out entirely with the method <code>chdir(\"..\")<\/code>\u00a0and another call to <code>chroot<\/code>. If you\u2019re really focused on security, you should <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/unix.stackexchange.com\/a\/492626\">drop access to<\/a> the <code>chroot(2)<\/code>\u00a0system call, or <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/github.com\/vincentbernat\/jchroot\">use the fork <code>jchroot<\/code><\/a>, which automates this extra security feature.<\/p>\n<p><code>chroot<\/code>\u00a0is not a bulletproof security tool, as it\u2019s not completely containerized, and shouldn\u2019t be thought of as a firewall that will save your system from attackers. However, unless a process is specifically trying to get out of a chroot jail, <code>chroot<\/code> achieves its job of sectioning off your file system for most processes, and can be configured with extra security measures to block the major escape methods.\n<\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/731\/what-is-chroot-on-linux-and-how-do-you-use-it\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What Is chroot on Linux and How Do You Use It? \u2013 CloudSavvy IT&#8221; The chroot Linux utility can modify the working root directory for a process, limiting access to the rest of the file system. This is usually done for security, containerization, or testing, and is often called a \u201cchroot jail.\u201d What Does chroot&#8230;<\/p>\n","protected":false},"author":1,"featured_media":88141,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/07\/b9c7acd7.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-88140","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/88140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=88140"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/88140\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/88141"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=88140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=88140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=88140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}