Introduction
The term chroot jail dates all the way back to 1992 and is frequently used today. But what does this term mean, and what is this operation used for?
In this tutorial, we will cover the basics of using chroot jails and show you how you can set one up.
Prerequisites
- A system running a Linux or Unix operating system
- A user account with sudo-level privileges
- Access to the terminal/command line
What Is chroot jail?
A chroot (short for change root) is a Unix operation that changes the apparent root directory to the one specified by the user.
Any process you run after a chroot operation only has access to the newly defined root directory and its subdirectories. This operation is colloquially known as a chroot jail since these processes cannot read or write outside the new root directory.
What Is chroot jail Used for?
Chroot jail is used to create a limited sandbox for a process to run in. This means a process cannot maliciously change data outside the prescribed directory tree.
Another use for chroot jails is as a substitute for virtual machines. This method is called kernel-level virtualization and requires fewer resources than virtual machines. This operation allows users to create multiple isolated instances on the same system.
How to Use chroot jail
This example takes you through creating and setting up chroot jail so it can run bash
and ls
commands.
Follow these steps:
1. Create a new directory called chroot_jail:
mkdir chroot_jail
If we try to chroot
into the new directory, we get the following output:
You must enable the bash
command before you can chroot
into the new directory. This requires copying the command file and all associated libraries into the new root directory.
2. Create a new subdirectory tree inside chroot_jail:
mkdir -p chroot_jail/bin chroot_jail/lib64/x86_64-linux-gnu chroot_jail/lib/x86_64-linux-gnu
These subdirectories will store all the necessary elements of the bash
and ls
commands.
3. Using the cp command with the which
command lets copy bash
and ls
commands without specifying the path you are copying from.
To do so, use:
cp $(which ls) chroot_jail/bin/
cp $(which bash) chroot_jail/bin/
Note: If your bash
or ls
command are aliased, you need to unalias them before copying. Use unalias [command]
, where [command]
is the name of the command you want to unalias.
4. For bash
and ls
to work in the new root folder, add all associated libraries to chroot_jail/libraries. Use the ldd
command to find out which libraries are associated with which command:
ldd $(which bash)
ldd $(which ls)
5. Copy the appropriate libraries to the chroot_jail subdirectories lib and lib64.
For the bash
command:
cp /lib/x86_64-linux-gnu/libtinfo.so.6 chroot_jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libdl.so.2 chroot_jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 chroot_jail/lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 chroot_jail/lib64/
For the ls
command:
cp /lib/x86_64-linux-gnu/libselinux.so.1 chroot_jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 chroot_jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libpcre2-8.so.0 chroot_jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libdl.so.2 chroot_jail/lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 chroot_jail/lib64/
cp /lib/x86_64-linux-gnu/libpthread.so.0 chroot_jail/lib/x86_64-linux-gnu/
6. Use the chroot
command to change the root to the chroot_jail directory:
sudo chroot chroot_jail
Note: Changing the root to the chroot_jail directory starts a new instance of the bash
shell.
Use the ls
command to list all the files and directories in the new root directory tree:
ls -R
7. Once you are done using the new root folder, exit the shell:
exit
Conclusion
After following this tutorial, you should be able to set up a chroot jail, along with the necessary resources to run processes and commands in the new root directory.
For more information on Linux commands, check out our Linux Command Cheat Sheet.