The term chroot jail dates all the way back to 1992 and is frequently used today. But what does this term mean, and what is this operation used for?
In this tutorial, we will cover the basics of using chroot jails and show you how you can set one up.
- A system running a Linux or Unix operating system
- A user account with sudo-level privileges
- Access to the terminal/command line
What Is chroot jail?
A chroot (short for change root) is a Unix operation that changes the apparent root directory to the one specified by the user.
Any process you run after a chroot operation only has access to the newly defined root directory and its subdirectories. This operation is colloquially known as a chroot jail since these processes cannot read or write outside the new root directory.
What Is chroot jail Used for?
Chroot jail is used to create a limited sandbox for a process to run in. This means a process cannot maliciously change data outside the prescribed directory tree.
Another use for chroot jails is as a substitute for virtual machines. This method is called kernel-level virtualization and requires fewer resources than virtual machines. This operation allows users to create multiple isolated instances on the same system.
How to Use chroot jail
This example takes you through creating and setting up chroot jail so it can run
Follow these steps:
1. Create a new directory called chroot_jail:
If we try to
chroot into the new directory, we get the following output:
You must enable the
bash command before you can
chroot into the new directory. This requires copying the command file and all associated libraries into the new root directory.
2. Create a new subdirectory tree inside chroot_jail:
mkdir -p chroot_jail/bin chroot_jail/lib64/x86_64-linux-gnu chroot_jail/lib/x86_64-linux-gnu
These subdirectories will store all the necessary elements of the
3. Using the cp command with the
which command lets copy
ls commands without specifying the path you are copying from.
To do so, use:
cp $(which ls) chroot_jail/bin/ cp $(which bash) chroot_jail/bin/
Note: If your
ls command are aliased, you need to unalias them before copying. Use
unalias [command], where
[command] is the name of the command you want to unalias.
ls to work in the new root folder, add all associated libraries to chroot_jail/libraries. Use the
ldd command to find out which libraries are associated with which command:
ldd $(which bash) ldd $(which ls)
5. Copy the appropriate libraries to the chroot_jail subdirectories lib and lib64.
cp /lib/x86_64-linux-gnu/libtinfo.so.6 chroot_jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libdl.so.2 chroot_jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libc.so.6 chroot_jail/lib/x86_64-linux-gnu/ cp /lib64/ld-linux-x86-64.so.2 chroot_jail/lib64/
cp /lib/x86_64-linux-gnu/libselinux.so.1 chroot_jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libc.so.6 chroot_jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libpcre2-8.so.0 chroot_jail/lib/x86_64-linux-gnu/ cp /lib/x86_64-linux-gnu/libdl.so.2 chroot_jail/lib/x86_64-linux-gnu/ cp /lib64/ld-linux-x86-64.so.2 chroot_jail/lib64/ cp /lib/x86_64-linux-gnu/libpthread.so.0 chroot_jail/lib/x86_64-linux-gnu/
6. Use the
chroot command to change the root to the chroot_jail directory:
sudo chroot chroot_jail
Note: Changing the root to the chroot_jail directory starts a new instance of the
ls command to list all the files and directories in the new root directory tree:
7. Once you are done using the new root folder, exit the shell:
After following this tutorial, you should be able to set up a chroot jail, along with the necessary resources to run processes and commands in the new root directory.
For more information on Linux commands, check out our Linux Command Cheat Sheet.