Chroot jails made simpler
Jail Management
Setting up chroot jails is no simple task. Jailkit can make this job a little easier by automating setup and configuration.
Both the chroot
command and a container are ways to isolate parts of a system. However, their methods are quite different. While a container is a form of virtualization with its own allocated resources, chroot is a way to limit a user account's access to the parts of the directory tree by – as the name of the command implies – changing its root directory. The result is what is known as a chroot or, sometimes, a chroot jail, which draws on the larger system's resources as needed. The result is more economical, if less trendy than containers, but it is difficult to set up. Fortunately most distros include jailkit [1], a collection of utilities that helps to automate setup and configuration.
Contrary to widespread misinformation, a chroot is not a security measure unless specifically configured as one. Although confinement in a jail can limit what an uninformed user can do, expert users could escape a jail by creating a second jail within the first. In addition, any process run with root privileges can access resources outside the chroot. Similarly, if a user has permissions for any files outside their home directory, they are not jailed. In addition, any user with root privileges can access the chroot from the main system, including those using sudo
.
A chroot can be made secure with some effort. But more commonly, a chroot has other purposes, including:
- Sandboxing: Safely testing unstable builds without risking the rest of the system
- Creating a new environment: Usually for testing purposes
- Dependency control: Giving an application access to only certain versions of dependencies
- Running old software: Denying access to hardware that the software cannot handle
- Recovery: Making the entire chroot a filesystem that can be accessed after boot from a single drive, with utilities to help in restoring the system
Most of these purposes do not require a desktop environment, although you can add one to the chroot by installing the X clients section when using jk_init
, if desired.
Chroot's Wikipedia entry lists a number of common uses, including Postfix utilities, FTP servers, and package-building farms for Debian, Ubuntu, SUSE, Fedora, and Red Hat when they test for dependencies [2]. Despite being added to Version 7 Unix as long ago as 1982 – and possibly earlier – chroot remains a versatile tool today.
Whatever your purpose, setting up a chroot can be a laborious task. First, the chroot needs to be initialized. Then, depending on your purposes, you may need to configure the files, the access to devices, the shell, the user access, and daemons in the chroot. There is even a separate wrapper for using procmail within the jail. A time may come, as well, when you want to edit or update files. About half of these actions have a default configuration file in /etc/jailkit
, although you will probably need to edit it for your own purposes. However, the advantage is that, should you require a clone of a chroot, it can be created quickly. You might also locate an online example you can modify to suit your purpose. Note, though, that many examples assume a Debian or Ubuntu installation and may need to be modified for other distributions. You should also check the synopsis at the start of each man page to learn whether the command can be run from outside or inside the chroot.
More to the point, these actions can be simplified by jailkit's utilities, many of which have their own man page with more examples. Generally, however, the first option in a command will be
--jail-CHROOT -j CHROOT
and the last one the command, user, or other element of the main system that will interact with the jail.
To set up a chroot, you should run the utilities in the order listed below, skipping any that are irrelevant to your purposes. Those at the end of the list can be run periodically as the chroot evolves or needs updating.
jk_init
Begin the creation of a chroot with jk_init
(Figure 1). At the very least, the command must specify the directory for the chroot plus the .ini
file plus the sections to install:
-usr/sbin/jk_init -j CHROOT-DIRECTORY INI-FILE --configfile =FILE (-c FILE) SECTION
Alternatively, you can make configuration choices from the command line, which may be a more secure choice if you are not familiar with the contents of the .ini
file:
jk_init -v CHROOT-DIRECTORY FILES-TO-INSTALL
The chroot's root directory, as well as its parent directories, will be made if they do not already exist, while possible sections of the .ini
file for jk_init.ini
can be read by using the --list
option (Figure 2).
The jk_init.ini
file defines the basic configuration of the chroot, as well as the behavior of the other jailkit utilities. Jailkit installs with an .ini
file for a set of general purpose paths and applications (Figure 3), but often you can create a much simpler chroot. For instance, Listing 1 shows an example from the man page that creates the chroot with a limited shell so it can run the sftp
command.
Listing 1
Creating a Limited Shell
[jk_lsh] comment = Jailkit limited shell paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini users = root groups = root need_logsocket = 1 includesections = uidbasics [sftp] comment = ssh secure ftp with Jailkit limited shell paths = /usr/lib/sftp-server includesections = netbasics, uidbasics devices = /dev/urandom, /dev/null emptydirs = /svr
jk_cp
Because a chroot is isolated from the rest of the system, you need to copy into the chroot any files or devices you want to run within it. This command is simply a space-separated list of the full path to files to add to the chroot. If a command is copied, its dependencies are as well – a great time-saver to manual creation using the chroot
command. The copy of each file has the same permissions as the original, except that setuid
and setgid
permissions are removable.
jk_chrootsh
This command creates a login shell for the chroot. Since the shell has no access to the system's libraries or commands, most of those it needs must be copied into the chroot using jk_cp
. Only a minimum set of commands is installed by default, such as the files in /etc/passwd
needed for the user to log in. Other commands that can be executed in the chroot are defined in /etc/jailkit/jk_lsh.ini
(see next).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome Fans Everywhere Rejoice for the Latest Release
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.