Contents: Securing Network ServicesProxiesSpecific Examples

About this document

2. chrooting

2.1. What is a chroot jail?

To minimise the consequences of compromise of a daemon, run publicly-accessible services within a "jail" (from the daemon's point of view) or "sandpit" (from ours). The simplest way to do this is to make use of the chroot command, which wraps the chroot() system call: chroot() changes the root directory of a process (/proc/<procno>/root). Should an intruder manage to gain a shell on a host via a chooted daemon, they will have to break out of the "jail" too in order to set up their own services or cause (other) system damage.

2.2. How to chroot a daemon — outline

Recipes exist for some daemons/services, notably Apache and Bind, but for most it's a case of following the following guidelines and being prepared for a little trial and error:

If you follow a chroot HOWTO (e.g. that the widely-available ones for BIND and Apache, or that for Squid below) and it doesn't work for you, judicious use of strace (and perhaps fgrep, as above) will likely be your saviour.

2.3. An Example — chrooting The Squid Proxy (with PAM Authentication and syslogd)

Here we outline how to chroot the Squid Web proxy. (Squid actually contains a configuration option to chroot itself upon startup. Nevertheless, this example well illustrates the principles involved.)

N.B. These notes were written from memory, after chrooting Squid and have not been tested (by building a second jail from scratch by following these notes) — so beware! Corrections welcome.

  1. First, make the chroot directory, e.g., 
          prompt> mkdir /chroot_squid
    and the directories below this (bin, dev, etc, lib, usr, usr/local...).

  2. Build and install Squid in the usual place, e.g., /usr/local/squid.

  3. Determine which shared-object libraries ldd indicates are needed 
            ldd /usr/local/squid/sbin/squid

        libcrypt.so.1 => /lib/libcrypt.so.1 
        libpthread.so.0 => /lib/libpthread.so.0
        libm.so.6 => /lib/libm.so.6 
        libresolv.so.2 => /lib/libresolv.so.2 
        libnsl.so.1 => /lib/libnsl.so.1 
        libc.so.6 => /lib/libc.so.6 
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2
    and copy these into the /chroot_squid tree, i.e., to /chroot_squid/lib.

    In simple cases of chrooting --- if you are lucky --- this will be sufficient; mostly it is not. In this case 
            chroot /chroot_squid /usr/local/squid/sbin/squid
    will fail.

  4. Run 
            strace -o /tmp/squid.strace -v -f -r -e trace=open -tt \
                                                    /usr/local/squid/sbin/squid
    and, after a few seconds, kill the strace/squid process and examine the contents of /tmp/squid.strace, e.g., 
            fgrep \.so /tmp/squid.strace
    which gives us this list: 
            /lib/libcrypt.so.1
        /lib/libpthread.so.0
        /lib/libm.so.6
        /lib/libresolv.so.2
        /lib/libnsl.so.1
        /lib/libc.so.6
        /lib/libnss_files.so.2
        /lib/libnss_compat.so.2
        /lib/libnss_nis.so.2
        /lib/libnsl.so.1
        /lib/libnss_dns.so.2
    Copy the extra libraries from /lib to /chroot_squid/lib.

  5. Next up, Squid can be configured to use PAM authentication --- here is the pertinent line from squid.conf: 
            auth_param basic program /usr/local/squid/libexec/pam_auth
    and ldd /usr/local/squid/libexec/pam_auth gives some further libraries to copy to our chroot_squid tree: 
            libpam.so.0 => /lib/libpam.so.0 
        libdl.so.2 => /lib/tls/libdl.so.2
    Supporting PAM configuration and libraries must also be installed: 
            /chroot_squid/etc/pam.d/squid

        /chroot_squid/lib/security/pam_ldap.so
        /chroot_squid/lib/security/pam_unix_auth.so


  6. Ok, so now we're feeling confident, so we try to start Squid, 
            chroot /chroot_squid /usr/local/squid/sbin/squid
    but again it fails. It's time for a brute force: 
            strace -o /tmp/squid.strace -v -f -r /usr/local/squid/sbin/squid
    and examining the (tedious) output shows two devices that are required in out chroot jail: 
            /dev/null
        /dev/log
    For the first ls -l /dev/null 
            crw-rw-rw-  1 root root 1, 3 2005-03-21 08:39 /dev/null
    so 
            cd /chroot_squid/dev
        mknod null c 1 3


  7. To "enable" /dev/log, i.e., syslogging for Squid under out chroot jail, we note the relevant comments in the widely-available "Chroot Bind Howto" and also examine the syslogd man page. Hence, we edit /etc/init.d/syslogd to contain 
            SYSLOGD="-m 0 -a /chroot_squid/dev/log"
    which is equivalent to 
            /sbin/syslogd -m 0 -a /chroot_squid/dev/log
    We now have our two required devices: 
            ls -l /chroot_squid/dev

        srw-rw-rw-    1 root     root            0 2004-06-21 18:08 log
        crw-rw-rw-    1 root     root       1,   3 2004-06-21 18:23 null
    and Squid will now start in the chroot jail.

2.4. More

Docs -- examples : 

 -- Bind-Chroot-Howto (Debian):
        http://www.falkotimme.com/howtos/debian_bind_chroot/index.php

 -- apache: http://www.linux.com/article.pl?sid=04/05/24/1450203

 -- http://www.l0t3k.org/security/docs/chrooting/:

     -- 'chroot' an Apache tree with Linux and Solaris (Howto)
        Published on 2001-02-26 - by Denice Deatrich, �Denice Deatrich.

     -- Apache chrooting made simple
        Published on 2004 - by Ivan Ristic, �Ivan Ristic.

     -- Chroot-BIND HOWTO
        Published on December 01, 2001 - by Scott Wunsch, losurs.org.

     -- Chroot-BIND8 HOWTO
        Published on July 01, 2001 - by Scott Wunsch, losurs.org.

     -- Chrooting daemons and system processes HOW-TO
        Published on October 21, 2002 - by Jonathan, www.nuclearelephant.com.

     -- Linux Process Containment – A practical look at chroot and 
            User Mode Linux
        Published on June 03, 2003 - by Paul Lessard, �SANS Institute.

     -- Setting up chrooted sftp in linux
        Published on 2003 - by James Dennis, �James Dennis.


...previousup (conts)next...