Maintaining the chroot Environment
A chroot jail can be a useful tool, but it requires some additional maintenance even after it's set up. Some details to which you may need to attend include the following:
Log rotation ” All major distributions include some mechanism for log rotation. If your server stores log files in the chroot jail, you'll have to track down your distribution's log rotation mechanisms and modify them to handle the new location for these files. Alternatively, you can use the --bind option to mount to make your log file directory available within the chroot jail. (This works only with 2.4. x and later kernels .) If you fail to attend to log files, they may expand uncontrollably and possibly overwhelm your available disk space.
Program updates ” As noted earlier, if you update your server software, you must remember to copy the updated program files to the chroot jail directories. If you fail to do this, your server will remain vulnerable to whatever problems the update fixes. You must also remember to recreate any changes you make to startup scripts, else your updated server may run from outside the chroot jail.
File availability ” If your server works with data files you make available, such as a Web server that delivers Web pages, you must maintain the data files within the chroot environment. This isn't normally a problem, because the data files should normally exist only within the chroot jail. You might want to periodically check the file permissions to be sure that new files and directories have appropriate permissions for whatever security scheme you use, though.
New support files ” On occasion, you may need to add new support files. For instance, if you run a Web server from within a chroot jail and decide to start using a new CGI scripting language, you must copy the new language's files to the chroot jail directory. You might also want to delete files that are no longer being used, to reduce the risk of security breaches that might be caused by these files.
Fortunately, these tasks shouldn't consume too much time, above and beyond routine server maintenance. Most involve setting an option once and letting automatic procedures handle the rest, or taking extra steps when updating or reconfiguring a server.