Chroot Jails: Theory

Understanding the Reasons and Concepts

Author:Jeff Propes
Date:June 7, 2013

Follow along with me at http://self2013.grimoi.re/chroot/

Overview

Four questions

Concepts

Tools

Things Not Covered

Tools to automatically build chroot jails for you
  • mkjail, jailtool, debootstrap

Linux containers

Full system virtualization
  • Xen, VMware, Virtual Box

!!! Warning !!!

We will be spelunking through complex concepts and tools

Lot of ground to cover

Some concepts and tools will not be fully understood here today

Some concepts and tools will require additional study

What is a chroot jail?

Break down the phrase into parts

Assemble all the definitions together

What do they provide?

Secure, self-contained environment for a process, service, or user to live in

Isolation between different processes

Provides all required functionality

Can be built for almost any use

Why are they useful? Why would you want them?

Protect the system from a compromised service or malicious users

Maintain multiple distinct environments for tools

Requires less resources than a full VM solution

When can I use them? When should I use them?

Security reasons

Best practices

Parallel environments

How do I create them? How do I plan and deploy them?

  1. Understand a process's needs and structure

    • Don't forget interaction with the rest of the system
  2. Establish a path for your chroot jail

  3. Copy your process and all necessary support items into the chroot jail

    • Maintain the same path inside the jail
    • /dev/zero becomes /path/to/jail/dev/zero
  4. Alter your startup script to chroot at the appropriate time

Concepts

Resource sharing

Staticly compiled binary vs dynamically-linked

Permissions, users, and groups

File handles

Interacting with other parts of the system

Tools

ldd
Displays the libraries that a binary executable requires. All of these libraries will need to exist in the chroot jail. Warning: some libraries are not displayed
strace
Displays all of the system calls of a binary. This tool helps you find out why IT'S NOT bleepING WORKING

Fin

Stay tuned for the second session
  • examples and live construction of chroot jails

Topics for further study