Necessary chroot Environment Files The first task in configuring a server to operate in a chroot jail is to prepare the jail. This means you must create an appropriate directory tree, copy system files, and copy the server's files. In some sense, you set up a miniature Linux system in the chroot jail, but this miniature system is missing most of the programs and configuration files that make up a normal Linux system. NOTE | This section describes the process of setting up the chroot environment in a relatively abstract way. The next section, "Configuring a Server to Operate in a chroot Jail," provides a more concrete look at server configuration, including an example of running BIND in a chroot jail. | Preparing a Directory Tree A chroot jail needs a directory to call its own. In principle, you can place this directory anywhere in the Linux filesystem tree, except for pseudo-filesystem directories like /proc . If your server needs to be able to write files, the chroot directory tree must exist on a read/write medium. The examples in this chapter use /opt/chroot as the root of the chroot jail, but this is an arbitrary placement. Within your chroot tree, you should create directories modeled after those of the normal Linux root directory, including subdirectories. Chances are you'll need only a small subset of the directories needed in a regular Linux installation, though. Common directories you might need to create include /bin , /sbin , /usr , /lib , /etc , and /var . You may need to add to this directory list as you add server-specific files. You should not populate these directories with all the files that reside in their regular counterparts; much of the point of running in a chroot jail is to deprive a would-be cracker of access to the regular mix of tools available in these directories. If you want to run multiple chroot servers, you should create a separate chroot tree for each one. For instance, you might create /opt/chroot/ftp and /opt/chroot/sendmail . Copying Server Files Once you've created a basic chroot jail directory tree, you need to copy files into that tree. There are actually two different conditions that may apply. First, the server may directly support chroot operations. In this case, it may not be necessary to copy the server's executable to the chroot jail. Instead, you run the server from outside the jail, but tell it where the jail is. The server then issues a chroot() command internally, and thereafter it's locked into the jail. The server might read its configuration files from outside of the jail, too, so this operation can be nearly transparent ”you only need to provide the jail itself and whatever files the server needs during normal operation. FTP servers often lock themselves into chroot jails in this way, particularly when they run as anonymous FTP servers. Chapter 21, Running FTP Servers, covers anonymous FTP server operation, including setting up the necessary chroot jail directory. The other option is to run a server that doesn't include built-in chroot support by using the chroot program. In this approach, you must copy the server executable file, its configuration files, and any files it requires during normal operation to the jail. You'll also have to copy some more general system files, as described in the next section, "Copying System Files." Tracking down the files that the server needs can be tricky, because there's no simple rule that will always find the necessary files. You may be able to find leads by checking the server's documentation and by examining the list of files that come with the distribution package. For instance, you can use tar , rpm , or dpkg to find the files in the original server package. You may not need to copy all of these files. For instance, you can leave documentation files outside of the chroot jail. Another trick is to use the strace program to discover what files a server opens. You can run the server with a command like strace serverprog and examine the output to discover what serverprog is doing, including what files it's opening. NOTE | Although I refer to copying files, you may ultimately want to move them instead. This will guarantee that your server is running from the jail, at least if your configuration files use absolute references to other files, such that they won't work except in a chroot environment. Creating hard links, if the jail is on the same partition as the main files, may also be an option. (Symbolic links won't work if they lead outside of the jail.) On the other hand, creating a chroot jail in its own partition offers some security advantages because it's then impossible to create hard links outside of the chroot environment, thus reducing the risk of a server compromise being used to modify outside files. | Copying System Files After you've copied the basic server files to the chroot jail, you must copy any general-purpose Linux system files upon which the server depends. Precisely what files are needed varies from one server to another, but some common files you might need include the following: -
Libraries ” Many servers rely upon dynamically linked libraries. These are usually stored in /lib , or occasionally /usr/lib . You can discover what libraries a given server requires by using the ldd command, as in ldd /usr/sbin/named . You should copy any files listed by this command to equivalent directories in the chroot jail. -
Support programs ” Some servers rely on support programs. For instance, a Web server that supports scripting relies upon the scripting language executable (such as /usr/bin/perl ), and perhaps files that support this executable. You must copy these support programs to appropriate directories in the chroot jail. You must also locate and copy the libraries upon which the support programs rely. In some cases, such as scripting languages used by Web servers, you'll actually copy more support program files than server files into the chroot jail. -
Device files ” Some servers may rely upon access to hardware device files. For instance, a backup server needs access to your tape device file. A few libraries and programs require access to special-purpose device files like /dev/zero or /dev/null . Device files are normally found in /dev . They can't be copied like ordinary files; instead, you should recreate them in the chroot jail by using the mknod command, as in mknod /opt/chroot/dev/st0 c 9 0 . Note that many device files provide great power, so you shouldn't create device files in a chroot environment unless they're absolutely necessary. -
Special filesystems ” A few servers may rely upon special filesystems or filesystem manipulation tools. In particular, some servers need access to the /proc filesystem. You can't copy this directory like most others. Instead, you must create a duplicate entry in /etc/fstab for this filesystem, but mounted within the chroot jail. Do not remove the original /proc filesystem, though; duplicate it! Other non- chroot programs still require /proc in its usual location. If you can avoid it, you shouldn't duplicate /proc in this way, because it includes pseudo-files that could give an attacker substantial power over your computer, even from within a chroot jail. -
User database files ” Some servers require access to the /etc/passwd , /etc/ group , /etc/shadow , and similar group database information files. Servers that use the Pluggable Authentication Module (PAM) approach to authentication require the entire PAM infrastructure, including the /etc/pam.conf file, the contents of /etc/pam.d and /etc/security , and various libraries with pam in their names in /lib and /lib/security . Check your PAM package's contents for clues about what you might need to duplicate. (This package is often called libpam .) -
Logging files ” If the server creates log files, you should create an appropriate directory for them. Some servers rely upon syslogd to do their logging, so you may need to copy this daemon and all its support files into the chroot jail. Some servers can be configured to do their own logging, even if they ordinarily rely upon syslogd . For servers that include explicit internal chroot() support, chances are good that you'll need to copy fewer system files than for servers that don't include this support. The servers that include internal chroot() calls can often load libraries, system files, and so on before running, and so don't need files to be stored in their chroot environments, even if those files are required for ordinary operation. TIP | For best security, take a minimal approach to support files. Copy only those files you're reasonably certain the server requires, then try running the server (perhaps with a debugging option to produce extra debugging output on the console, if the server supports such an option). This should give you some clues about what extra files might be required; for instance, the server might complain that it can't find a configuration file. Add more files as necessary, and you should end up with the minimal configuration that works. | |