Sandboxing - Linux Magazine Online

"Logging" In to a chroot

At this point, you'll be able to access the chroot with a command such as $ chroot /chroot/ bash, which will chroot you into the /chroot/ directory and execute bash from within it.

As I mentioned, chroot is not an inherently secure method for isolating applications. By not logging into the chroot as a privileged user such as root, and by removing any setuid and setgid binaries that run with elevated privileges, you can ensure that nothing runs as root within the chroot environment:

# find / -type f -perm +6000

Conclusion

Sandboxing is now easier than ever and its benefits have never been more important. Isolating badly written web applications from the underlying operating system or letting an administrator install a program without affecting the system can save both time and money. Like anything, prevention and foresight can significantly reduce the amount of work needed to maintain and fix a system long term, and sandboxing offers a practical tool to accomplish this.

Infos

Bochs: http://bochs.sourceforge.net/
KVM: http://kvm.qumranet.com/kvmwiki
OpenVZ: http://openvz.org/
QEMU: http://fabrice.bellard.free.fr/qemu/
User-Mode Linux: http://user-mode-linux.sourceforge.net/
VMware Server http://www.vmware.com/products/server/
VirtualBox: http://www.virtualbox.org/
XEN: http://xensource.com/
Debian chroot instructions: http://www.debian.org/doc/manuals/reference/ch-tips.en.html#s-chroot
Free VPS: http://www.freevps.com/
Linux-VServer: http://linux-vserver.org/
AppArmor: http://www.novell.com/linux/security/apparmor/
SELinux: http://www.nsa.gov/selinux/

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He is married and has four cats but no fish (because the cats are more hungry than afraid of water). He often wonders how it is that technology works on a large scale but often fails on a small scale.