CHROOT Tutorial
===============
By ChSh
January 28th, 2002

Have you ever wanted to give a friend remote shell access, but wanted to lock
down what they could access?
This tutorial, which I will try my damnedest to keep simple, endeavours to show
you how you can secure down your box and make sure that someone only has access
to what you want them to.
I'm writing this tutorial on a RedHat 7.1 system.

In case you don't know what chroot does, it sets your / (or root) directory to
another directory of your choosing. To do this, there are some steps you need
to take in order to make it functional. It literally stands for change root
directory.

The very first thing I would recommend is that you set this space up on its OWN
partition on your hard drive. This way you can ensure that you are not having
your real drive filled up by an obnoxious friend while you are away.

First, we'll start by making a directory. Let's use /usr/chroot.

[root@comp /]# mkdir /usr/chroot
[root@comp /]# cd /usr/chroot
[root@comp chroot]#

Now we have to create a bin, etc, lib, var, and home, in order to ensure that
libraries and etc., will still be accessible.

[root@comp chroot]# mkdir bin etc lib var home

Now, we've got to copy /bin/bash and its dependencies to this structure. In
order to figure out what bash has as dependencies, we're going to use the ldd
tool. ldd lists all of the dependencies that a binary has. When you use ldd,
you'll have to make sure that you include the full path to the binary.

[root@comp chroot]# ldd /bin/bash
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001e000)
libdl.so.2 => /lib/libdl.so.2 (0x40022000)
libc.so.6 => /lib/i686/libc.so.6 (0x40026000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

As you can see, bash depends on libtermcap.so.2, libdl.so.2, libc.so.6, and
ld-linux.so.2 from the /lib directory. So we simply copy these files to
/usr/chroot/lib.

[root@comp chroot]# cp /lib/libtermcap.so.2 /usr/chroot/lib
[root@comp chroot]# cp /lib/libdl.so.2 /usr/chroot/lib
[root@comp chroot]# cp /lib/i686/libc.so.6 /usr/chroot/lib
[root@comp chroot]# cp /lib/ld-linux.so.2 /usr/chroot/lib

Now, we copy bash itself to /usr/chroot/bin.

[root@comp chroot]# cp /bin/bash /usr/chroot/bin/

Now we can get a shell that's been chrooted to /usr/chroot/ by issuing the
command 'chroot /usr/chroot'.

[root@comp chroot]# chroot /usr/chroot
bash-2.04# pwd
/
bash-2.04# ls
bash: ls: command not found
bash-2.04#

As you can see, ls can't be found, and bash thinks that the current directory
is /. As far as all applications running in this environment are concerned, it
is your root directory. We've basically created a very useful chroot 'jail';
that is to say that it is a space on your filesystem where nobody will be able
to break out of. They will not see the contents of your /home/username/
directory, and the will be unable to change or modify files outside of that
structure.

Now, let's exit back out for now, and copy a few more utilities to make the
system at least quasi-usable.

bash-2.04# exit
exit
[root@comp chroot]# ldd /bin/ls
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001e000)
libc.so.6 => /lib/i686/libc.so.6 (0x40022000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

As you can see, /bin/ls uses libraries we've already copied over for bash, so
we can simply copy /bin/ls to /usr/chroot/bin. While we're at it, let's copy
over touch, telnet, and vi.

[root@comp chroot]# cp /bin/ls /usr/chroot/bin
[root@comp chroot]# ldd /bin/touch
libc.so.6 => /lib/i686/libc.so.6 (0x4001e000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@comp chroot]# ldd /bin/vi
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001e000)
libdl.so.2 => /lib/libdl.so.2 (0x40022000)
libc.so.6 => /lib/i686/libc.so.6 (0x40026000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@comp chroot]# ldd /usr/bin/telnet
libutil.so.1 => /lib/libutil.so.1 (0x4001e000)
libncurses.so.5 => /usr/lib/libncurses.so.5 (0x40021000)
libc.so.6 => /lib/i686/libc.so.6 (0x40063000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@comp chroot]# cp /lib/libutil.so.1 /usr/chroot/lib
[root@comp chroot]# cp /usr/lib/libncurses.so.5 /usr/chroot/lib
[root@comp chroot]# cp /bin/vi /usr/chroot/bin
[root@comp chroot]# cp /bin/touch /usr/chroot/bin
[root@comp chroot]# cp /usr/bin/telnet /usr/chroot/bin

Now let's run in our chroot'ed environment, and see what we can do.

[root@comp chroot]# chroot /usr/chroot
bash-2.04# touch temp
bash-2.04# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> close
Connection closed.
bash-2.04# vi temp
[Opens Vi]
bash-2.04# exit
exit
[root@comp chroot]#

As you can see, touch, vi, and telnet all worked once the libraries were copied
across. You should now be able to figure out how to get this chrooted
environment running the programs you want it to.

Now I'll move on to a couple of things you should know about linking.
After chrooting, you can't link to files/directories outside the jailed
filesystem.

Consider webpages, etc.. Let's say you created a symbolic link at
/usr/chroot/home/billy/html that linked to the real filesystem to
/var/www/html/billy. The file would be inaccessible because /var/www/html/billy
doesn't exist in the chroot'ed environment.
To cirvumvent this, you can always link the other way. By this, I mean create
the directory /usr/chroot/home/billy/html and then link /var/www/html/billy to
/usr/chroot/home/billy/html. This would work because the webserver runs without
the jailing restrictions. Keep in mind though, that if you allow someone to
have webpages, do not allow them to create PHP or Perl scripts, or anything
that will allow them to run shell commands as the webserver, otherwise it
defeats the purpose of doing all that work to secure down your box.

You can force a user to end up at this chroot'ed environment always (even if
they were sitting in front of the machine) by setting their shell as a
shellscript that does the chrooting for you. For this, I would recommend
reading the chroot login HOWTO by Tony J. White and Brian Rhodes, which is
available at http://tjw.org/chroot-login-HOWTO/

That concludes the tutorial.

References:

CHROOT Login HOWTO - http://tjw.org/chroot-login-HOWTO/
By Tony J. White and Brian Rhodes
CHROOT BIND HOWTO - http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html
By Peter Wunsch
CHROOT Example - http://hoohoo.ncsa.uiuc.edu/docs/tut...t-example.html
By Denice Deatrich

Other MISC References (from Mailing lists):

http://mail.gnu.org/pipermail/bug-sh...ay/000601.html