Who needs chroots? Security? What is that?
I’ve first been interested in chroots when a friend of mine, renting a server, found out that their php installation had been cracked into. They noticed their server was doing abnormal uploading and eventually found that a plethora of files were hidden somewhere.
Chroot, now that sounds like the sound you did in the nintendo game Super Mario Bros 2 when you picked a vegetable! But I digress.
Why chroots? What are they? Well, technically they make it possible to change from where the root directory points to. If say you have an empty directory named buzzYa and you somehow managed to chroot into it, you would end up with nowhere to go. Is it that easy to setup? Absolutely not! Are chroots enough to warrant enough security against adversaries? Absolutely not! They help, but by themselves they are almost useless. I’ll get on that later.
Chroots are a pain to set-up under GNU/Linux. At first, I started by manually making a few directories and copying the files I wanted to them. Painstakingly trying to keep up to date with the updates and having issues actually starting the thing. The thing is, you pretty much need to recreate a minimum GNU/Linux distribution inside your chroot. You need a minimal set of /etc/ files, a minimal set of devices in /dev/ and all the libraries necessary to run your program (granted it’s not statically linked). My point is that creating chroots manually is too error prone and frustrating to be attempted.
That’s when jailTools was born. With just shell scripts, at first, I just made it create a list of basic filesystem directories and copied over some shared objects and binaries. Then, I created a script to copy the libraries and binaries to what I call jails (taking the term from freeBSD) and making sure to also copy the shared objects they depend on along from the base system.
At that point, I was copying over the binaries and libraries from the base system. This actually created jails of around 50MB maybe even 100MB. bash by itself requires quite some dependencies. You also need specific (special) shared objects too like libnss which are almost always loaded at runtime rather than being a direct dependency. There are also directories that are necessary like /usr/share/locale /usr/lib/locale /usr/lib/gconv and if you want ssl/tls support : /etc/ssl and /usr/share/ca-certificates.
Just check it out and take it for a spin : jailTools repository
It’s a work in progress, there are a lot of features that are being planned.
This article is not at all what I wanted it to be, I wanted it to be a complete introduction to my project jailTools but I ended up having various unfinished parts everywhere, totally unable to gather the courage to fully finish it.
So I decided to finally just trim the unfinished part and post it as is.
I’ll post further design implementation details in further posts.
Just bear with me :)