Menu
I have muliple chroot jails, I want them to share some directories, currently I have to copy these directories into jails which I think is not elegant. The directories are read-only, like '/usr/bin'.
939
It allows you to run a program with a root directory other than / . The program cannot see or access files outside the designated directory tree. Such an artificial root directory is called a chroot jail, and its purpose is to limit the directory access of a potential attacker.
Using chroot utility 2. The new_root directory becomes the artificial root directory. chroot changes to new_root and runs the optional command. Without specifying a command as an argument, chroot changes to new_root and runs the value of the SHELL environment variable or /bin/sh if SHELL is not set.
Solution. In a chroot environment, if a program is running with root privileges, the program might be able to perform a second chroot and can break out of the chrooted environment.
A correctly configured chroot jail will have only the files and libraries needed to run the service, all of which would be set to minimum privileges. This will effectively prevent the attacker from exploring the file system outside of the jailed directory or from executing binaries that are not stored within the jail.
You can use the new bind mounts support to make identical directory structures available through multiple paths.
mount --bind /usr/bin /path/to/chroot/jail/usr/bin
mount -o remount,ro /path/to/chroot/jail/usr/bin
For more details, see mount(8).
You can get really clever with mounting on Linux systems these days; for more details, see the Linux kernel source file Documentation/filesystems/sharedsubtree.txt.
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
