Base chroot Jail Requirements
The chroot(2) system call changes the position of the root directory. For applications to function correctly, this new root directory must contain some base operating system primitives. Think of the contents of the chroot jail as a complete mini-operating system/file system in itself. In particular, a subset of system libraries, configuration files, and device files, along with any application-specific files must be available in the jail. These files should be copied into the jail, or a hard link could be created if the two directories reside on the same file system.
The following commands provide an example of creating the base jail directory (/var/chroot), copying the standard C library (/usr/lib/libc.so.1) into the jail and creating the null device file:
# mkdir -p /var/chroot/usr; mkdir /var/chroot/dev; mkdir -p /var/chroot/bin
# chown -R root:root /var/chroot; chmod 755 -R /var/chroot
# cp -p /usr/lib/libc.so.1 /var/chroot/usr/lib/libc.so.1
# cp -p /bin/sh /var/chroot/bin/sh # cp -p /bin/ls /var/chroot/bin/ls
# mknod /var/chroot/dev/null c 13 2
A minimum base set of files and devices are typically required within any chroot jail. These will vary for each different UNIX variant, but the following Solaris base should be applicable to most systems:
The NULL device file /dev/null
The 'zero' device file /dev/zero
The TCP/IP protocol device file /dev/tcp
The UDP/IP protocol device file /dev/udp
Standard C library /usr/lib/libc.so.1
Runtime linker /usr/lib/ld.so.1
Dynamic linker library /usr/lib/libdl.so.1
Network services library /usr/lib/libnsl.so.1
TCP/IP networking library /usr/lib/libsocket.so.1
DNS services shared object /usr/lib/nss_dns.so.1
File services shared object /usr/lib/nss_files.so.1
Time zone database /usr/share/lib/zoneinfo and /etc/TIMEZONE
Hosts database /etc/hosts and /etc/inet/hosts
Services database /etc/services
Protocols database /etc/protocols
Name services configuration /etc/nsswitch.conf
Resolver configuration /etc/resolv.conf
Temporary storage directories /var, /var/tmp, /var/run and /tmp
The chroot jail should be owned by root with a permissions mask of 755. The permissions of each file and directory described above should be identical to those within the standard base operating system.
Determining chroot Jail Inclusions
Most non-trivial applications will require more than the base jail set outlined above. Determining the entire set of resources required by an application is more an art than an exact science.
The WebCrossing server (installed into /opt/webx) will be used to illustrate the procedure.
The base binaries and configuration files of the WebCrossing tree (/opt/webx) should be copied into the chroot jail with permissions preserved. For example:
# mkdir -p /var/chroot/opt/webx
# cp -p -R /opt/webx/* /var/chroot/opt/webx
The libraries that an application is linked against can be displayed by using the ldd(1) (Solaris, Linux, etc.) or chatr(1) (HP-UX) command. ldd(1) may also be used on libraries to determine the dependencies of each library. Example output using ldd(1) against the WebCrossing's webx-go executable is:
# ldd webx-go
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
The libraries displayed as dependencies by ldd(1) or chatr(1) should be copied into the appropriate relative directory within the jail.
However, this method does not cover shared objects that are dynamically loaded by an application at run time. To discover which files and libraries are opened at run-time, the operations of an application can be captured with a system call trace.
A system call trace is performed with the truss(1) (Solaris), strace(1) (Linux), tusc(1) (HP-UX 11.X), trace(1) (HP-UX 10.X), or ktrace (BSD) command. Readers familiar with C programming should have no difficulty in following a system call trace.
An example of starting up the WebCrossing process in the base operating system is as follows:
# truss -f webx-go 2>&1 | grep open | more
6642: open(?/usr/share/lib/zoneinfo/US/Pacific?, O_RDONLY) = 3
The above line indicates that webx-go opens the file /usr/share/lib/zoneinfo/US/Pacific. This file needs to be copied in order for WebCrossing to function correctly. In addition to performing system call tracing, some initial application analysis can assist in getting things right the first time.
Putting It All Together:
You will need to start WebCrossing using a shell, so make sure that you copy /bin/ls and /bin/sh into /var/chroot/bin and get the required resources in place for them also. When all required resources are installed into the jail, it is time to test WebCrossing in the chroot environment. This can be done by executing the following commands:
# /usr/sbin/chroot /var/chroot /bin/sh
# cd webx
If there are problems at this point, a system call trace will again be beneficial in displaying what resource is missing:
# truss -f /usr/sbin/chroot /var/chroot /opt/webx/webx-go
Study the output provided from your system call tracer and look for errors.
As stated in the disclaimer above these procedures have not been thoroughly tested. This document is meant to be used as a guideline for experimental purposes only.
SysAdmin Magazine (The bulk of this document was taken from an article in the August 2001 issue by Liam Widdowson and edited to focus on chrooting WebCrossing) How to break out of a chroot() jail: http://www.bpfh.net/simes/computing/chroot-break.html How to eliminate the ten most critical Internet security threats: http://www.sans.org/topten.htm