chroot "jail" - what is it and how do I use it?
I have heard/read a lot about the chroot jail under linux but have never yet used it (I use Fedora day-to-day), so what is a chroot "jail"? When and why might I use it/not use it and is there anything else I should know? How would I go about creating one?
A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don't run as root, as root users can break out of the jail very easily.
The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the
chroot()system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment. Since it can't actually reference paths outside the modified root, it can't perform operations (read/write etc.) maliciously on those locations.
On Linux, using a bind mounts is a great way to populate the chroot tree. Using that, you can pull in folders like
/usr/libwhile not pulling in
/usr, for example. Just bind the directory trees you want to directories you create in the jail directory.
Your answer is great. One thing to mention though, chroot is not a secure mechanism (a process can break out of the jail if it becomes root and sometimes even if not). Real jails can be enforced with freebsd jails and the like. See this http://en.wikipedia.org/wiki/FreeBSD_jail#Similar_technologies
The Gentoo install process uses a chroot so you can setup your new OS before you have installed GRUB and the Linux kernel etc.
Take a look at firejail for a complete jailed shell using all the Linux namespaces. There are deb and rpm packages available. Generally, I'd recommend kernel 3.18 or later, though, due to a known problem with not being able to install new software or do user management when `firejail` is running.
Can a user under chroot jail call binary files located under `/bin` that is installed by the root user? @Ben Combee