Sandboxing an Application with chroot

Sometimes, however, sandboxing an entire operating system is overkill. What if you just want to compile some software and install it without affecting your current system or give yourself the option of easily removing the software? Oddly enough, this is the exact same challenge that Bill Joy ran into while working on BSD back in the 1980s. His solution was to create the chroot system call and utility program.

With chroot, you must remember one critically important thing: chroot was not meant to be a security mechanism. Instead, it was designed to make software testing and installation easier and safer. A process or a user with root privileges can easily break out of a chroot environment and cause damage to the underlying operating system. However, this can largely be mitigated by running all software within the chroot as a non-root user and removing any potentially unsafe setuid binaries that run as root or with otherwise elevated privileges.

Building a chroot Environment

On RPM- and Debian DPKG-based systems, building a chroot environment is relatively easy. Some people will accuse me of being RPM-centric, and they'd be correct – I started with Slackware 1.0, but I switched after seeing Red Hat 3.0.3 and have been using Red Hat and CentOS ever since.

Also, Debian has documented the process of building a chroot environment properly, so I do not need to repeat it here [9].

To build a complete chroot environment, you need several basic items:

  • a file system with some basics, such as /dev/ and /proc/ (so that things like ps will work);
  • any programs and libraries needed to run the software you want to test; and,
  • optionally, an easy way to install or update software within the chroot, which is especially important if you want to use the chroot as a production environment to compartmentalize software).

Step 1: Basic File System

Here, I use /chroot as the chroot base directory. As root, execute:

# mkdir /chroot
# mkdir /chroot/proc
# mkdir /chroot/dev
# mount -t proc proc /chroot/proc
# /sbin/MAKEDEV generic -D /chroot/dev -d /chroot/dev

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Command Line: Debootstrap

    We provide basic instructions for using Debian's debootstrap to create a schroot jail for building and testing packages.

  • UCK

    We’ll show you how to create a custom Ubuntu ISO with the Ubuntu Customization Kit.

  • Free Software Projects

    Free software covers such a diverse range of applications that it can be hard to find the perfect tool. In this column,we pick the best of the bunch.This month you’ll learn about XFce 4.2, the PC in the PC,QBuildkde,and the latest news on the Sarge Release.

  • Linux From Scratch

    Linux From Scratch helps you create a custom Linux system with everything you need and nothing more. And as you build your system, you’ll get an insider’s look at how Linux really works.

  • Linux Intrusion Detection System

    If you're ready for mandatory access control and you're looking for an alternative to SELinux and AppArmor, try locking down your system with Linux Intrusion Detection System.

comments powered by Disqus

Direct Download

Read full article as PDF:

Sandboxing.pdf (812.63 kB)