[NMLUG] chroot -- can somebody help me out?

Subject: [NMLUG] chroot -- can somebody help me out?
From: mpchlets at infotechmegacorp.com (michael)
Date: Fri Dec 17 11:40:00 2004
In-reply-to: <41C20864.1000609@caglan.net>
References: <41C1C2C5.3010200@harrisdev.com> <1103218376.6910.19.camel@localhost.localdomain> <41C1DDB3.2000702@harrisdev.com> <41C20864.1000609@caglan.net>

Here are my two cents.

Jailing and chroot are quite different, with different results.

Jailing or chroot jail is a way of 1. restricting access of a process to a 
certain subset of the directory hierarchy, and 2. running the process or 
service at "lower" priveleges.  chroot is run to limit access to the 
filesystem and then setuid and other such programs are run to "lower" the 
privileges of the program or service.

Chroot only will set the directory hierarchy, no lowering of privileges.  
Typically you are root after running this command.

This being said, the reason we jail things is so that when someone breaks the 
program, they cannot get passed the directory subset and so that when they 
break in, they are at lower privileges, preventing them from doing great harm 
in the chrooted environment.

That being said, jailing firefox would prevent malicious code on a website 
from running rampid in your system, albeit a small chance.

To jail firefox, yes you would need all of X in the jail along with any other 
libraries of firefox in there.

You would almost need an entire minimal system, to chroot to, I suggest maybe 
a minimal system, that you chroot to at the terminal and then run X, that way 
your whole X is chrooted.

Also, it seems that there is a small performance loss when jailing or 
chrooting, just to keep you informed.

Good Luck-
michael

On Thu, 16 Dec 2004 15:12:52 -0700, Dan Parrish wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jody Harris wrote:
> | Sam Noble wrote:
> |
> |> On Thu, 2004-12-16 at 10:15 -0700, Jody Harris wrote:
> |>
> |>> Maybe I just don't have the system configured correctly, or 
> maybe I'm |>> taking the whole wrong approach.... |>> |>> I'd like 
> to: run Firefox in a chroot jail |>> |>> How? |>> |>> man chroot --> 
> look at the info page |>> |>> info coreutils chroot --> not much 
> more help. |>> |>> Am I going to have to install Gentoo and make 
> everything statically |>> linked? |>> |>> No matter what directory I 
> select as the new root, I get the same |>> message, "cannot change 
> root directory to /my/path: Operation not |>> permitted" |>> |> |> 
> On a Debian system you: |> |> $ mkdir ~/choot-jail |> |> # apt-get 
> install debootstrap |> |> # debootstrap woody ~/chroot-jail |> |> # 
> chroot ~/chroot-jail | | | Thanks, Sam. | | I "installed into a 
> directory" using YaST (SUSE 9.2).  In this case, I | took the 
> suggested dir of /var/tmp/dirinstall. | | Once that was done, I had 
> to su to root, then I could run 'chroot | /var/tmp/dirinstall/' | | 
> Viola!  I was in a new virtual Linux box, logged in as root, setting 
> at | the bash prompt, in the new virtual root. | | pretty cool, but 
> I still don't know enough for it to be useful. | | I was thinking 
> about running that tinyp2p in a chroot jail.  There are | lots of 
> other things I'd like to have the option of jailing as well. | 
> Finally, there are things I'd like to be able to do the setup/tear down
> | routine until I get the setup part mastered.
> |
> | Anybody use chroot for anything?
> |
> | j
> |
> 
> I don't know about chroot'ing an app.  I think jails are for users, not
> applications.  If you chroot'd yourself into the jail, then launched
> firefox, it wouldn't launch unless you had everything you needed for
> your X to work as well...Which would be so much stuff you'd not have
> much benefit from it.
> 
> The only thing I know to use chroots and jails for are for the
> users...IOW, when you chroot your apache, you're jailing the apache
> user, not the files or programs inside.
> 
> IOW, you can do it...Technically, but the benefit would be minimal.
> 
> I use jails for that whole backup scheme we were discussing last 
> week, and I also use it for a few daemons such as apache and the ftp 
> server.
> 
> - -Dan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBwghknURHNoE9YE4RApr+AJwOMvxcQyWVs/v5HfPhZmfq7Ih7tQCcCAAQ
> sMnwVSRCcQoJZeU1ShorM4g=
> =qy4H
> -----END PGP SIGNATURE-----
> _______________________________________________
> NMLUG mailing list
> NMLUG@nmlug.org
> http://www.nmlug.org/mailman/listinfo/nmlug

Follow-Ups:
- [NMLUG] chroot -- can somebody help me out?
  - From: imp at bsdimp.com (Warner Losh)
- [NMLUG] chroot -- can somebody help me out?
  - From: jamesh at swcp.com (James Hamilton)

References:
- [NMLUG] chroot -- can somebody help me out?
  - From: havoc at harrisdev.com (Jody Harris)
- [NMLUG] chroot -- can somebody help me out?
  - From: sam.noble at comcast.net (Sam Noble)
- [NMLUG] chroot -- can somebody help me out?
  - From: havoc at harrisdev.com (Jody Harris)
- [NMLUG] chroot -- can somebody help me out?
  - From: deathandtaxes at caglan.net (Dan Parrish)

Prev by Date: [NMLUG] chroot -- can somebody help me out?
Next by Date: [NMLUG] Limiting filesystem access for a CGI script
Index(es):
- Chronological
- Thread

Please send sugestions and comments to webmaster@nmlug.org.