Menu
Although there is another question with similar topic, it does not cover the memory use by the shared libraries in chrooted jails.
Let's say we have a few similar chroots. To be more specific, exactly the same sets of binary files and shared libraries which are actually hard links to the master copies to conserve the disk space (to prevent the potential possibility of a files alteration the file system is mounted read only).
How is the memory use affected in such a setup?
368
This can be a valuable step in hardening the security of your system. We need a directory to act as the root directory of the chroot environment. So that we have a shorthand way of referring to that directory we’ll create a variable and store the name of the directory in it.
Chroot does one thing—run a command with a different root directory. The command being run has no idea that anything outside of its jail exists, as it doesn’t have any links to it, and as far as it’s aware, is running on the root filesystem anyway. There’s nothing above root, so the command can’t access anything else.
Chroot doesn’t block access to low-level system resources (that would require root to access), and as such, a privileged process could easily escape a jail. It is possible for non-privileged processes to break out entirely with the method chdir ("..") and another call to chroot.
This file doesn’t exist, which is the first problem with chroot —you have to build the jail yourself. But this only copies over the bash executable, and not all of its dependencies, which don’t exist in our jail yet. You can list the dependencies for bash with the ldd command:
As described in the chroot system call:
This call changes an ingredient in the pathname resolution process and does nothing else.
So, the shared library will be loaded in the same way as if it were outside the chroot jail (share read only pages, duplicate data, etc.)
http://man7.org/linux/man-pages/man2/chroot.2.html
68
Because hardlinks share the same underlying inode, the kernel treats them as the same item when it comes to caching/mapping.
You'll see filesystem cache savings by using hardlinks, as well as disk-space savings.
The biggest issue I'd have with this is that if someone manages so subvert the read-only nature of one of the chroot environments, then they could subvert all of them by making modifications to any of the hardlinked files.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
