Sandboxing an Application with chroot
Sometimes, however, sandboxing an entire operating system is overkill. What if you just want to compile some software and install it without affecting your current system or give yourself the option of easily removing the software? Oddly enough, this is the exact same challenge that Bill Joy ran into while working on BSD back in the 1980s. His solution was to create the chroot system call and utility program.
With chroot, you must remember one critically important thing: chroot was not meant to be a security mechanism. Instead, it was designed to make software testing and installation easier and safer. A process or a user with root privileges can easily break out of a chroot environment and cause damage to the underlying operating system. However, this can largely be mitigated by running all software within the chroot as a non-root user and removing any potentially unsafe setuid binaries that run as root or with otherwise elevated privileges.
Building a chroot Environment
On RPM- and Debian DPKG-based systems, building a chroot environment is relatively easy. Some people will accuse me of being RPM-centric, and they'd be correct – I started with Slackware 1.0, but I switched after seeing Red Hat 3.0.3 and have been using Red Hat and CentOS ever since.
Also, Debian has documented the process of building a chroot environment properly, so I do not need to repeat it here .
To build a complete chroot environment, you need several basic items:
- a file system with some basics, such as /dev/ and /proc/ (so that things like ps will work);
- any programs and libraries needed to run the software you want to test; and,
- optionally, an easy way to install or update software within the chroot, which is especially important if you want to use the chroot as a production environment to compartmentalize software).
Step 1: Basic File System
Here, I use /chroot as the chroot base directory. As root, execute:
# mkdir /chroot # mkdir /chroot/proc # mkdir /chroot/dev # mount -t proc proc /chroot/proc # /sbin/MAKEDEV generic -D /chroot/dev -d /chroot/dev
Buy this article as PDF
New release targets Linux professionals.
The Fedora project adds Wayland and Gnome 3.22
CeBIT 2017: Open Source Forum Call for Papers
Long-time Linux antagonist joins the revolution.
Major bug affects Debian/Ubuntu distributions.
Canonical releases the minimal edition for embedded devices, Internet of Things, and cloud deployments.
The new release features improvements across the board, from performance to security.
Two out of three of the new members are women.
More than 5,000 people attended the event.
Linux Magazine will include the best of both magazines.