chroot "jail" - what is it and how do I use it?

  • I have heard/read a lot about the chroot jail under linux but have never yet used it (I use Fedora day-to-day), so what is a chroot "jail"? When and why might I use it/not use it and is there anything else I should know? How would I go about creating one?

    answers here seem to be short on the "how do I use it category?" :(

  • Ben Combee

    Ben Combee Correct answer

    10 years ago

    A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don't run as root, as root users can break out of the jail very easily.

    The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment. Since it can't actually reference paths outside the modified root, it can't perform operations (read/write etc.) maliciously on those locations.

    On Linux, using a bind mounts is a great way to populate the chroot tree. Using that, you can pull in folders like /lib and /usr/lib while not pulling in /usr, for example. Just bind the directory trees you want to directories you create in the jail directory.

    Your answer is great. One thing to mention though, chroot is not a secure mechanism (a process can break out of the jail if it becomes root and sometimes even if not). Real jails can be enforced with freebsd jails and the like. See this http://en.wikipedia.org/wiki/FreeBSD_jail#Similar_technologies

    The Gentoo install process uses a chroot so you can setup your new OS before you have installed GRUB and the Linux kernel etc.

    Take a look at firejail for a complete jailed shell using all the Linux namespaces. There are deb and rpm packages available. Generally, I'd recommend kernel 3.18 or later, though, due to a known problem with not being able to install new software or do user management when `firejail` is running.

    Great answer!--though some basic examples would be nice to see.

    Can a user under chroot jail call binary files located under `/bin` that is installed by the root user? @Ben Combee

    this answer is a little short on "how to use" can I get an example? some bash code? er somethin

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM