Sandboxing

"Logging" In to a chroot

At this point, you'll be able to access the chroot with a command such as $ chroot /chroot/ bash, which will chroot you into the /chroot/ directory and execute bash from within it.

As I mentioned, chroot is not an inherently secure method for isolating applications. By not logging into the chroot as a privileged user such as root, and by removing any setuid and setgid binaries that run with elevated privileges, you can ensure that nothing runs as root within the chroot environment:

# find / -type f -perm +6000

Conclusion

Sandboxing is now easier than ever and its benefits have never been more important. Isolating badly written web applications from the underlying operating system or letting an administrator install a program without affecting the system can save both time and money. Like anything, prevention and foresight can significantly reduce the amount of work needed to maintain and fix a system long term, and sandboxing offers a practical tool to accomplish this.

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He is married and has four cats but no fish (because the cats are more hungry than afraid of water). He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Command Line: Debootstrap

    We provide basic instructions for using Debian's debootstrap to create a schroot jail for building and testing packages.

  • Free Software Projects

    Free software covers such a diverse range of applications that it can be hard to find the perfect tool. In this column,we pick the best of the bunch.This month you’ll learn about XFce 4.2, the PC in the PC,QBuildkde,and the latest news on the Sarge Release.

  • VServer

    The VServer project offers a secure and highly efficient virtualization alternative.

  • UCK

    We’ll show you how to create a custom Ubuntu ISO with the Ubuntu Customization Kit.

  • CloudLinux: More Hosting Accounts

    The Cloud Linux company in Princeton NJ has released its like-named operating system in version 5.5. The LiteSpeed webserver is now partnering with it to provide a corresponding version 4.0.14.

comments powered by Disqus

Direct Download

Read full article as PDF:

Sandboxing.pdf (812.63 kB)

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia