Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does chroot affect dynamic libraries memory use?

Although there is another question with similar topic, it does not cover the memory use by the shared libraries in chrooted jails.

Let's say we have a few similar chroots. To be more specific, exactly the same sets of binary files and shared libraries which are actually hard links to the master copies to conserve the disk space (to prevent the potential possibility of a files alteration the file system is mounted read only).

How is the memory use affected in such a setup?

like image 368
Serge Avatar asked Dec 25 '13 07:12

Serge


People also ask

Why do we need a directory variable in chroot?

This can be a valuable step in hardening the security of your system. We need a directory to act as the root directory of the chroot environment. So that we have a shorthand way of referring to that directory we’ll create a variable and store the name of the directory in it.

What is the use of chroot in Linux?

Chroot does one thing—run a command with a different root directory. The command being run has no idea that anything outside of its jail exists, as it doesn’t have any links to it, and as far as it’s aware, is running on the root filesystem anyway. There’s nothing above root, so the command can’t access anything else.

Does chroot block access to low-level resources?

Chroot doesn’t block access to low-level system resources (that would require root to access), and as such, a privileged process could easily escape a jail. It is possible for non-privileged processes to break out entirely with the method chdir ("..") and another call to chroot.

Why can’t I find the chroot file?

This file doesn’t exist, which is the first problem with chroot —you have to build the jail yourself. But this only copies over the bash executable, and not all of its dependencies, which don’t exist in our jail yet. You can list the dependencies for bash with the ldd command:


2 Answers

As described in the chroot system call:

This call changes an ingredient in the pathname resolution process and does nothing else.

So, the shared library will be loaded in the same way as if it were outside the chroot jail (share read only pages, duplicate data, etc.)

http://man7.org/linux/man-pages/man2/chroot.2.html

like image 68
hdante Avatar answered Oct 01 '22 11:10

hdante


Because hardlinks share the same underlying inode, the kernel treats them as the same item when it comes to caching/mapping.

You'll see filesystem cache savings by using hardlinks, as well as disk-space savings.

The biggest issue I'd have with this is that if someone manages so subvert the read-only nature of one of the chroot environments, then they could subvert all of them by making modifications to any of the hardlinked files.

like image 37
Petesh Avatar answered Oct 01 '22 11:10

Petesh