0% found this document useful (0 votes)
33 views2 pages

Tech Skills - Red Hat Enterprise Linux 7 - 3.0 Securing Services

A chroot jail "virtualizes" the filesystem hierarchy by restricting a process to only see files under a single directory, displayed as the root. This technique isolates applications and users to prevent access to resources outside the jail. The document provides an example of creating an SSH/SFTP chroot jail, including generating device nodes, copying dependencies, and configuring sshd to use the jail. Determining dependencies requires using ldd to see which shared libraries are needed and copying them into the jail.

Uploaded by

DDDD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
33 views2 pages

Tech Skills - Red Hat Enterprise Linux 7 - 3.0 Securing Services

A chroot jail "virtualizes" the filesystem hierarchy by restricting a process to only see files under a single directory, displayed as the root. This technique isolates applications and users to prevent access to resources outside the jail. The document provides an example of creating an SSH/SFTP chroot jail, including generating device nodes, copying dependencies, and configuring sshd to use the jail. Determining dependencies requires using ldd to see which shared libraries are needed and copying them into the jail.

Uploaded by

DDDD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Tech Skills - Red Hat Enterprise Linux 7 - 3.

0 Securing Services
Filename: techskills-linuxsecurity-3-2-chroot_jails
Title: Chroot Jails
Subtitle: Linux Security Techniques

3.2 Chroot jails


What is a Chroot jail?

Chroot
"Virtualizes" the filesystem hierarchy
Not actually virtual
Directory structure is hidden from the session
Only a single folder tree is visible, and it is displayed as root
Example: /var/jail would show as /
The filesystem jail is designed to be inescapable

What are some of the uses for this?

Application jails
A compromised application can be held to its own folders
User session jails
Users are unable to access resources outside of their jail
Honey pots
Jails can be created with extended logging to catch attackers

Can we place anything we want into a chroot jail?

Technically, you can chroot anything


Dependencies become a real challenge
Calls to system folders (/proc,/var, etc) would have to be jailed as well
Can be tricky to catch them all
Many key applications directly support chroot, making it much easier
SSH/SFTP
Apache
MySQL/MariaDB
Postfix

Can you show us an example of how we use chroot?

SSH/SFTP Example

1. Create a service account


useradd service1
passwd service1
2. Create jail directory
mkdir -p /jail/service1/home/service1
cd /jail/service1
mkdir dev etc lib64 bin
3. Set ownership and permissions
chown root:root /jail/service1
chmod 755 /jail/service1
4. Create logical devices
mknod -m 666 /jail/service1/dev/null c 1 3
mknod -m 666 /jail/service1/dev/tty c 5 0
mknod -m 666 /jail/service1/dev/zero c 1 5
mknod -m 666 /jail/service1/dev/random c 1 8
5. Create config files
echo export PATH=/bin >> /jail/service1/home/service1/.profile
6. Copy the application files into the jail
cp /bin/bash /jail/service1/bin/
cp /bin/ls /jail/service1/bin

How do we know what dependencies go along with the applications?


Determine bash dependancies and copy them into place
ldd /bin/bash
ldd /bin/ls
cp /usr/lib64/libtinfo.so.5 /jail/service1/lib64/
cp /usr/lib64/libdl.so.2 /jail/service1/lib64/
cp /usr/lib64/libc.so.6 /jail/service1/lib64
cp /usr/lib64/ld-linux-x86-64.so.2 /jail/service1/lib64/
cp /usr/lib64/libcap.so.2 /jail/service1/lib64/
cp /usr/lib64/libacl.so.1 /jail/service1/lib64/
cp /usr/lib64/libpcre.so.1 /jail/service1/lib64/
cp /usr/lib64/libattr.so.1 /jail/service1/lib64/
cp /usr/lib64/libpthread.so.0 /jail/service1/lib64/
cp /usr/lib64/libselinux.so.1 /jail/service1/lib64/

Now that we have built the jail, how do we use it?

1. Set sshd to use the chroot directory


vi /etc/ssh/sshd_config
Match User service1
ChrootDirectory /jail/service1
2. Restart sshd
systemctl restart sshd.service

You might also like