Sandboxing an Application with chroot
Sometimes, however, sandboxing an entire operating system is overkill. What if you just want to compile some software and install it without affecting your current system or give yourself the option of easily removing the software? Oddly enough, this is the exact same challenge that Bill Joy ran into while working on BSD back in the 1980s. His solution was to create the chroot system call and utility program.
With chroot, you must remember one critically important thing: chroot was not meant to be a security mechanism. Instead, it was designed to make software testing and installation easier and safer. A process or a user with root privileges can easily break out of a chroot environment and cause damage to the underlying operating system. However, this can largely be mitigated by running all software within the chroot as a non-root user and removing any potentially unsafe setuid binaries that run as root or with otherwise elevated privileges.
Building a chroot Environment
On RPM- and Debian DPKG-based systems, building a chroot environment is relatively easy. Some people will accuse me of being RPM-centric, and they'd be correct – I started with Slackware 1.0, but I switched after seeing Red Hat 3.0.3 and have been using Red Hat and CentOS ever since.
Also, Debian has documented the process of building a chroot environment properly, so I do not need to repeat it here .
To build a complete chroot environment, you need several basic items:
- a file system with some basics, such as /dev/ and /proc/ (so that things like ps will work);
- any programs and libraries needed to run the software you want to test; and,
- optionally, an easy way to install or update software within the chroot, which is especially important if you want to use the chroot as a production environment to compartmentalize software).
Step 1: Basic File System
Here, I use /chroot as the chroot base directory. As root, execute:
# mkdir /chroot # mkdir /chroot/proc # mkdir /chroot/dev # mount -t proc proc /chroot/proc # /sbin/MAKEDEV generic -D /chroot/dev -d /chroot/dev
Buy this article as PDF
But if you are not using the latest Linux kernel, your system is insecure.
Home routers will give room for custom firmware but still comply with FCC rules
Frank Karlitschek will continue to lead the open source ownCloud project
“Xenial Xerus” comes with a new packages format and several improvements for the enterprise.
Linux users can now download and install the Windows code editor
New initiative will address security and interoperability concerns around container technology.
Developers can use RHEL as a development platform without a subscription fee.
Windows users will soon have native access to the Bash shell.
Improvements to SMTP will provide better guarantee of confidentiality
Graphics vendor embraces new reality in Linux graphics