Sandboxing an Application with chroot
Sometimes, however, sandboxing an entire operating system is overkill. What if you just want to compile some software and install it without affecting your current system or give yourself the option of easily removing the software? Oddly enough, this is the exact same challenge that Bill Joy ran into while working on BSD back in the 1980s. His solution was to create the chroot system call and utility program.
With chroot, you must remember one critically important thing: chroot was not meant to be a security mechanism. Instead, it was designed to make software testing and installation easier and safer. A process or a user with root privileges can easily break out of a chroot environment and cause damage to the underlying operating system. However, this can largely be mitigated by running all software within the chroot as a non-root user and removing any potentially unsafe setuid binaries that run as root or with otherwise elevated privileges.
Building a chroot Environment
On RPM- and Debian DPKG-based systems, building a chroot environment is relatively easy. Some people will accuse me of being RPM-centric, and they'd be correct – I started with Slackware 1.0, but I switched after seeing Red Hat 3.0.3 and have been using Red Hat and CentOS ever since.
Also, Debian has documented the process of building a chroot environment properly, so I do not need to repeat it here .
To build a complete chroot environment, you need several basic items:
- a file system with some basics, such as /dev/ and /proc/ (so that things like ps will work);
- any programs and libraries needed to run the software you want to test; and,
- optionally, an easy way to install or update software within the chroot, which is especially important if you want to use the chroot as a production environment to compartmentalize software).
Step 1: Basic File System
Here, I use /chroot as the chroot base directory. As root, execute:
# mkdir /chroot # mkdir /chroot/proc # mkdir /chroot/dev # mount -t proc proc /chroot/proc # /sbin/MAKEDEV generic -D /chroot/dev -d /chroot/dev
Buy this article as PDF
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.