chroot jail is a technology used to change the "apparent root
/ directory for a user or a process" and confine that user to that location on the system. A user or process that is confined to the
chroot jail cannot easily see or access the rest of the file system and will have limited access to the binaries (executables/apps/utilities) on the system. From its
chroot (8) - run command or interactive shell with special root directory
Although it is not security proof, it does have some useful security use cases, from tampering. Some have used
chroot to contain DNS servers, for example.
chroot is also the conceptual basis for some kinds of virtualization technologies that are common today, like Docker.
In this tutorial, we are going to create a
chroot for a human user account.
Step 1: Let's create a new user. After we create the new user, we will
chroot that user going forward.
sudo su useradd -m -U -s /usr/bin/bash vader passwd vader
Step 2: Next, we
chroot vader into a new directory. That directory will be located at
/var/chroot. Note that the root directory for our regular users is
/, but user vader's root directory will be different
/var/chroot, even if they can't tell.
Step 3: Now we set up available binaries for the user. We'll only allow
bash for now. To do that, we'll create a
bin/ directory, and copy
bash to that directory.
which bash mkdir -p /var/chroot/usr/bin mkdir -p /var/chroot/bin cp /usr/bin/bash /var/chroot/usr/bin/ cp /usr/bin/bash /var/chroot/bin/
Step 4: Large software applications have dependencies (aka, libraries). Thus, next we copy the libraries that
bash needs to run.
To identify libraries needed by bash:
locate command to be sure you identify the exact locations of the libraries:
locate libtinfo.so.6 ...
Create a library directory. We'll name the library directory after lib64 since these are all lib64 libraries.
mkdir /var/chroot/lib64 cp /usr/lib64/libtinfo.so.6 /var/chroot/lib64/ cp /usr/lib64/libdl.so.2 /var/chroot/lib64/ cp /usr/lib64/libc.so.6 /var/chroot/lib64/ cp /usr/lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/
Step 5: Create and test the
chroot /var/chroot/ bash-5.1# ls bash: ls: command not found bash-5.1# help bash-5.1# dirs bash-5.1# cd bin/ bash-5.1# dirs bash-5.1# cd ../lib64/ bash-5.1# dirs bash-5.1# cd .. bash-5.1# exit
Step 6: Create a new group called chrootjail. We can add users to this group that we want to jail. Instructions are based on linuxconfig.org.
groupadd chrootjail usermod -a -G chrootjail vader groups vader
Step 7: Edit
/etc/ssh/sshd_config to direct users in the
chrootjail group to the
chroot directory. Add the following line at the end of the file. Then restart ssh server.
# nano /etc/ssh/sshd_config Match group chrootjail ChrootDirectory /var/chroot/
nano, and restart
systemctl restart sshd
The logout of the server altogether:
Step 8: Test
Connect to the Fedora server via
ssh as the user vader:
ssh vader@relevant_ip_address -bash-5.1$ ls -bash: ls: command not found exit
That works as expected. The user vader is now restricted to a special directory and has limited access to the system or to any utilities on that system.
By using the
ldd command, you can add additional binaries for this user. As an exercise, use the
ldd command to locate the libraries for the
nano editor, and make
nano available to the user vader in the chrooted directory.
After making Bash available in
(Side note: Unlike previous instances when I use the # sign to indicate a comment, below I'm using the # sign below to indicate the root prompt.)
# which nano /usr/bin/nano # cp /usr/bin/nano /var/chroot/bin/ # ldd /usr/bin/nano linux-vdso.so.1 (0x00007fff5bdd5000) libmagic.so.1 => /lib64/libmagic.so.1 (0x00007f0ce11a7000) libncursesw.so.6 => /lib64/libncursesw.so.6 (0x00007f0ce1167000) libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007f0ce1138000) libc.so.6 => /lib64/libc.so.6 (0x00007f0ce0f6e000) libz.so.1 => /lib64/libz.so.1 (0x00007f0ce0f54000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0ce0f4d000) /lib64/ld-linux-x86-64.so.2 (0x00007f0ce1232000) # cp /usr/lib64/libmagic.so.1 /var/chroot/lib64/ # cp /usr/lib64/libncursesw.so.6 /var/chroot/lib64/ # cp /usr/lib64/libtinfo.so.6 /var/chroot/lib64/ # cp /usr/lib64/libc.so.6 /var/chroot/lib64/ # cp /usr/lib64/libz.so.1 /var/chroot/lib64/ # cp /usr/lib64/libdl.so.2 /var/chroot/lib64/ # cp /usr/lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/ # chroot /var/chroot/ bash-5.1# nano Error opening terminal: xterm-256color. bash-5.1# exit
To fix this, install
ncurses-term and copy over additional files:
# dnf install -y ncurses-term # locate xterm-256color /usr/share/terminfo/s/screen.xterm-256color /usr/share/terminfo/x/xterm-256color # mkdir -p /var/chroot/etc/terminfo/x/ # cp /usr/share/terminfo/x/* /var/chroot/etc/terminfo/x/ # chroot /var/chroot # nano