Results 1 to 3 of 3

Thread: Running applications in Chroot?

  1. #1
    Join Date
    Mar 2011
    Beans
    673

    Running applications in Chroot?

    I can't find an up to date guide for running an application in a chroot.

    If anyone would mind walking me through the steps I'd appreciate that. In this case I'm looking to chroot xchat/pidgin.

    https://help.ubuntu.com/community/DebootstrapChroot

    This page seems out of date. I'm using it with a lot of guess work to fill in some gaps lol

    Ok... I've installed debootsrap and I've run it and it gave me a "success" output.

    edit: Solved that last issue.

    ok, so I actually ended up install Hardy instead of Precise (the wiki guide could really use some clarity) so I guess I have to upgrade in the chroot.
    Last edited by Hungry Man; May 24th, 2012 at 04:49 PM.

  2. #2
    Join Date
    Jun 2011
    Beans
    61
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Running applications in Chroot?

    Chroot isn't a secure way to run stuff. Read LWN: What chroot() is really for and then tell us what you think.

  3. #3
    Join Date
    Mar 2011
    Beans
    673

    Re: Running applications in Chroot?

    There are no chroot bypasses that work without root. Apparmor + chroot is actually a great way to secure a program because:
    1) You can deny root through apparmor
    2) You can deny chroot command access through apparmor (bypassing chroot is trivial if you can call chroot, which takes root and capability)
    3) You reduce visible attack surface by running a program in what is essentially a separate operating system with only what the program needs

    I also use a kernel I compile myself, which directly addresses chroot bypasses.

    From your link:
    There are reasonable uses of chroot() for very limited security purposes. Daemons that do not run as root can be placed into their own filesystem subtree – bind/named and Apache are sometimes run this way – to prevent any access outside of it. That will work, even if the daemon gets exploited, as long as there is no way to elevate privileges after the exploit. For example, if there are vulnerable setuid() programs accessible from within the chroot(), full filesystem access is possible.
    It's pretty simple to address chroot bypasses even without a custom kernel.
    Last edited by Hungry Man; May 25th, 2012 at 09:55 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •