CIS 290 – LINUX Security
Lab Exercise #5: A simple chroot jail example
(Chapter 11. Sobells Fedora and RHEL 6th Edition)
1) Creating a chroot jail, as root, give the command:
/usr/sbin/chroot <directory> <command>.
The directory becomes the root directory, and the process attempts to run the default shell.
2) To create an ordinary user chroot jail, as ROOT
useradd user8
passwd user8
3) Create jailed directories
cd /home/user8
mkdir /home/user8/etc
mkdir /home/user8/dev
mkdir /home/user8/bin
mkdir /home/user8/lib
ls –al (Note root ownership)
4) Change ownership to the ordinary user
chown user8 *
ls –al (note user8 ownership)
5) To set up a useful chroot jail, determine which utilities the chroot jail needs.
Then copy the appropriate binaries and their .so libraries (ldd command) into the jail.
cp /bin/ls ./bin
cp /bin/bash ./bin
cp /bin/echo ./bin
ldd /bin/ls
linux-gate.so.1 => (0xb77b6000)
libselinux.so.1 => /lib/libselinux.so.1 (0x46af0000)
librt.so.1 => /lib/librt.so.1 (0x46967000)
libcap.so.2 => /lib/libcap.so.2 (0x46cba000)
libacl.so.1 => /lib/libacl.so.1 (0x47837000)
libc.so.6 => /lib/libc.so.6 (0x467b6000)
libdl.so.2 => /lib/libdl.so.2 (0x46960000)
/lib/ld-linux.so.2 (0x46794000)
libpthread.so.0 => /lib/libpthread.so.0 (0x46944000)
libattr.so.1 => /lib/libattr.so.1 (0x477f6000)
ldd /bin/bash
linux-gate.so.1 => (0xb770e000)
libtinfo.so.5 => /lib/libtinfo.so.5 (0x480ad000)
libdl.so.2 => /lib/libdl.so.2 (0x46960000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x469b6000)
libc.so.6 => /lib/libc.so.6 (0x467b6000)
/lib/ld-linux.so.2 (0x46794000)
ldd /bin/echo
linux-gate.so.1 => (0xb7790000)
libc.so.6 => /lib/libc.so.6 (0x467b6000)
/lib/ld-linux.so.2 (0x46794000)
cp /lib/libdl.so.2 ./lib
cp /lib/libtinfo.so.5 /lib
cp /lib/libtinfo.so.5 ./lib
cp /lib/libselinux.so.1 ./lib
cp /lib/libselinux.so.1 ./lib
cp /lib/ld-linux.so.2 ./lib
cp /lib/libc.so.6 ./lib
cp /lib/libgcc_s.so.1 ./lib
cp /lib/librt.so.1 ./lib
cp /lib/libcap.so.2 ./lib
cp /lib/libc.so.6 ./lib
cp /lib/libacl.so.1 ./lib
cp /lib/libdl.so.2 ./lib
cp /lib/libpthread.so.0 ./lib
cp /lib/libattr.so.1 ./lib
6) Run the process from chroot:
chroot /home/user8 /bin/ls
bin dev etc lib
chroot /home/user8 /bin/echo hi there
hi there
7) As an ordinary user:
exit (root)
su - user8
pwd
chroot /home/user8 /bin/ls
chroot: cannot change root directory to /home/user8: Operation not permitted
8) As root:
su -c "chroot /home/user8 /bin/ls"
9) To automate the process for user8 login , you can put su or sudo in the jail and then start a shell program to start the process inside the jail:
/usr/sbin/chroot /home/user8 /bin/su user8 -c /bin/bash
You will have to move all of PAM, including its libraries and configuration files, in the jail for su or sudo to function.
10) Create a dummy password and group file for the user at system level and copy t0 /home/user8/etc/passwd
root:x:0:0::/:/bin/bash
user8:x:1004:1004::/home:/bin/bash
11) Copy to /home/user8/etc/group
root:x:0:
jailed:x:1004:
12) chgrp jailed /home/user8
13) Copy the command from 9) into a shell script chroot.sh and make that the user program run in the system /etc/passwd. Then modify system /etc/passwd as follows:
usermod -d /home/user8 -s /<some dir>/chroot.sh user8
- If you plan to deploy multiple chroot jails, it is a good idea to keep a clean copy of the binand lib files somewhere other than in one of the active jails.
- Running a process shell inside a jail is done as follows:
/usr/sbin/chroot jailpath /bin/su user daemonname &
However, most processes some with their own “chroot jail” procedures – Apache, BIND, SSH, etc. Those are usually application specific.