Sandboxing an Application with chroot
Sometimes, however, sandboxing an entire operating system is overkill. What if you just want to compile some software and install it without affecting your current system or give yourself the option of easily removing the software? Oddly enough, this is the exact same challenge that Bill Joy ran into while working on BSD back in the 1980s. His solution was to create the chroot system call and utility program.
With chroot, you must remember one critically important thing: chroot was not meant to be a security mechanism. Instead, it was designed to make software testing and installation easier and safer. A process or a user with root privileges can easily break out of a chroot environment and cause damage to the underlying operating system. However, this can largely be mitigated by running all software within the chroot as a non-root user and removing any potentially unsafe setuid binaries that run as root or with otherwise elevated privileges.
Building a chroot Environment
On RPM- and Debian DPKG-based systems, building a chroot environment is relatively easy. Some people will accuse me of being RPM-centric, and they'd be correct – I started with Slackware 1.0, but I switched after seeing Red Hat 3.0.3 and have been using Red Hat and CentOS ever since.
Also, Debian has documented the process of building a chroot environment properly, so I do not need to repeat it here .
To build a complete chroot environment, you need several basic items:
- a file system with some basics, such as /dev/ and /proc/ (so that things like ps will work);
- any programs and libraries needed to run the software you want to test; and,
- optionally, an easy way to install or update software within the chroot, which is especially important if you want to use the chroot as a production environment to compartmentalize software).
Step 1: Basic File System
Here, I use /chroot as the chroot base directory. As root, execute:
# mkdir /chroot # mkdir /chroot/proc # mkdir /chroot/dev # mount -t proc proc /chroot/proc # /sbin/MAKEDEV generic -D /chroot/dev -d /chroot/dev
Buy this article as PDF
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.