Linux / Unix: chroot Command Examples

I

am a new Linux and Unix user. How do I change the root directory of a command? How do I change the root directory of a process such as web-server using a chroot command to isolate file system? How do I use a chroot to recover password or fix the damaged Linux/Unix based environment?

 

Each process/command on Linux and Unix-like system has current working directory called root directory of a process/command. You can change the root directory of a command using chroot command, which ends up changing the root directory for both current running process and its children.

chroot command details

Description Change root directory

Category Processes Management

Difficulty Advanced

Root privileges Yes

Estimated completion time 30m

Contents

Syntax

Examples

Exit form chrooted jail

Find out if service in chrooted jail

Rescue and fix software RAID

Should I use the chroot feature?

Options

See also

A process/command that is run in such a modified environment cannot access files outside the root directory. This modified environment is commonly known as “jailed directory” or “chroot jail”. Only a privileged process and root user can use chroot command. This is useful to:

Privilege separation for unprivileged process such as Web-server or DNS server.

Setting up a test environment.

Run old programs or ABI in-compatibility programs without crashing application or system.

System recovery.

Reinstall the bootloader such as Grub or Lilo.

Password recovery – Reset a forgotten password and more.

Purpose

The chroot command changes its current and root directories to the provided directory and then run command, if supplied, or an interactive copy of the user’s login shell. Please note that not every application can be chrooted.

Syntax

The basic syntax is as follows:

chroot /path/to/new/root command

OR

chroot /path/to/new/root /path/to/server

OR

chroot [options] /path/to/new/root /path/to/server

chroot command examples

In this example, build a mini-jail for testing purpose with bash and ls command only. First, set jail location using mkdir command:

$ J=$HOME/jail

 

Create directories inside $J:

$ mkdir -p $J

$ mkdir -p $J/{bin,lib64,lib}

$ cd $J

 

Copy /bin/bash and /bin/ls into $J/bin/ location using cp command:

$ cp -v /bin/{bash,ls} $J/bin

 

Copy required libs in $J. Use ldd command to print shared library dependencies for bash:

$ ldd /bin/bash

 

Sample outputs:

linux-vdso.so.1 =>  (0x00007fff8d987000)

libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000032f7a00000)

libdl.so.2 => /lib64/libdl.so.2 (0x00000032f6e00000)

libc.so.6 => /lib64/libc.so.6 (0x00000032f7200000)

/lib64/ld-linux-x86-64.so.2 (0x00000032f6a00000)

Copy libs in $J correctly from the above output:

$ cp -v /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 $J/lib64/

 

Sample outputs:

/lib64/libtinfo.so.5  -> /home/vivek/jail/lib64/libtinfo.so.5

/lib64/libdl.so.2  -> /home/vivek/jail/lib64/libdl.so.2

/lib64/libc.so.6  -> /home/vivek/jail/lib64/libc.so.6

/lib64/ld-linux-x86-64.so.2  -> /home/vivek/jail/lib64/ld-linux-x86-64.so.2

Copy required libs in $J for ls command. Use ldd command to print shared library dependencies for ls command:

$ ldd /bin/ls

 

Sample outputs:

linux-vdso.so.1 =>  (0x00007fff68dff000)

libselinux.so.1 => /lib64/libselinux.so.1 (0x00000032f8a00000)

librt.so.1 => /lib64/librt.so.1 (0x00000032f7a00000)

libcap.so.2 => /lib64/libcap.so.2 (0x00000032fda00000)

libacl.so.1 => /lib64/libacl.so.1 (0x00000032fbe00000)

libc.so.6 => /lib64/libc.so.6 (0x00000032f7200000)

libdl.so.2 => /lib64/libdl.so.2 (0x00000032f6e00000)

/lib64/ld-linux-x86-64.so.2 (0x00000032f6a00000)

libpthread.so.0 => /lib64/libpthread.so.0 (0x00000032f7600000)

libattr.so.1 => /lib64/libattr.so.1 (0x00000032f9600000)

You can copy libs one-by-one or try bash shell for loop as follows:

list= $(ldd /bin/ls | egrep -o  /lib.*\.[0-9] )

for i in $list; do cp  -v  $i   ${J}${i} ; done

Sample outputs:

/lib64/libselinux.so.1  -> /home/vivek/jail/lib64/libselinux.so.1

/lib64/librt.so.1  -> /home/vivek/jail/lib64/librt.so.1

/lib64/libcap.so.2  -> /home/vivek/jail/lib64/libcap.so.2

/lib64/libacl.so.1  -> /home/vivek/jail/lib64/libacl.so.1

/lib64/libc.so.6  -> /home/vivek/jail/lib64/libc.so.6

/lib64/libdl.so.2  -> /home/vivek/jail/lib64/libdl.so.2

/lib64/ld-linux-x86-64.so.2  -> /home/vivek/jail/lib64/ld-linux-x86-64.so.2

/lib64/libpthread.so.0  -> /home/vivek/jail/lib64/libpthread.so.0

/lib64/libattr.so.1  -> /home/vivek/jail/lib64/libattr.so.1

Finally, chroot into your new jail:

$ sudo chroot $J /bin/bash

 

Try browsing /etc or /var:

# ls /

# ls /etc/

# ls /var/

 

A chrooted bash and ls application is locked into a particular directory called $HOME/$J and unable to wander around the rest of the directory tree, and sees that directory as its “/” (root) directory. This is a tremendous boost to security if configured properly. I usually lock down the following applications using the same techniques:

Apache – Red Hat / CentOS: Chroot Apache 2 Web Server

Nginx – Linux nginx: Chroot (Jail) Setup

Chroot Lighttpd web server on a Linux based system

Chroot mail server.

Chroot Bind DNS server and more.

How do I exit from chrooted jail?

Type exit

$ exit

 

Sample session from above commands:

Animated gif 01: Linux / Unix: Bash Chroot ls Command Demo

Find out if service in chrooted jail or not

You can easily find out if Postfix mail server is chrooted or not using the following two commands:

pid=$(pidof -s master)

ls -ld /proc/$pid/root

Sample outputs from my Linux based server:

lrwxrwxrwx. 1 root root 0 Mar  9 11:16 /proc/8613/root -> /

The PID 8613 pointing out to / (root) i.e. the root directory for application is not changed or chrooted. This is a quick and dirty way to find out if application is chrooted or not without opening configuration files. Here is another example from chrooted nginx server:

pid=$(pidof -s master)

ls -ld /proc/$pid/root

Sample outputs:

lrwxrwxrwx 1 nginx nginx 0 Mar  9 11:17 /proc/4233/root -> /nginxjail

The root directory for application is changed to /nginxjail.

Rescue and fix software RAID system with chroot

I’m assuming that software RAID based Linux system is not booting. So you booted system either using the Live CD or networked based remote rescue kernel mode to fix the system. In this example, I booting RHEL based system using live Linux DVD/CD and chroot into /dev/sda1 and/or /dev/md0 to fix the problem:

Recover data, at live cd prompt type the following commands. ##

/dev/sda1 main system partition ##

/dev/md0 /data partition  ##

# Set jail dir

d=/chroot

mkdir $d

 

# Mount sda1 and required dirs

mount /dev/sda1 $d

mount -o bind /dev $d/dev

mount -o bind /sys $d/sys

mount -o bind /dev/shm $d/dev/shm

mount -o bind /proc $d/proc

 

# Mount software raid /dev/md0

mount /dev/md0 $d/data

 

# Chroot to our newly created jail. This allows us to fix bootloader or grab data before everything goes to /dev/null

chroot $d

 

# Can you see?

ls

df

 

# Get files to safe location

rsync -avr /path/to/my_precious_data_dir user@safe.location.cyberciti.biz:/path/to/dest

 

# Get out of chrooted jail and reboot or format the server as per your needs 😉

exit

umount {dev,sys,[…],}

reboot

BUT WAIT, THERE’S MORE!

See all other chroot command related examples on nixCraft:

Ubuntu: Mount Encrypted Home Directory (~/.private) From an Ubuntu Live CD

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

Fix a dual boot MS-Windows XP/Vista/7/Server and Linux problem

Restore Debian Linux Grub boot loader

A note about chrooting apps on a Linux or Unix-like systems

Should you use the chroot feature all the time? In the above example, the program is fairly simple but you may end up with several different kinds of problems such as:

Missing libs in jail can result into broken jail.

Complex program are difficult to chroot. I suggest you either try real jail such as provided by FreeBSD or use virtualization soultuon such as KVM on Linux.

App running in jail can not run any other programs, can not alter any files, and can not assume another user’s identity. Loosen these restrictions, you have lessened your security, chroot or no chroot.

Also note that:

Do not forgot, to updated chrooted apps when you upgrade apps locally.

Not every app can or should be chrooted.

Any app which has to assume root privileges to operate is pointless to attempt to chroot, as root can generally escape a chroot.

Chroot is not a silver bullet. Learn how to secure and harden rest of the system too.

chroot command options

From the chroot(8) command man page:

–userspec=USER:GROUP  specify user and group (ID or name) to use

–groups=G_LIST        specify supplementary groups as g1,g2,..,gN

–help     display this help and exit

–version  output version information and exit

See also

chroot(8)

Man pages – chroot(2)

OpenBSD documentation – See Apache chrooting faq for more information.

Category List of Unix and Linux commands

File Management cat

Network Utilities dig • host • ip •

Package Manager apk • apt

Processes Management bg • chroot • disown • fg • jobs • kill • killall • pwdx • time • pidof • pstree

Searching whereis • which

User Information groups • id • last • lastcomm • logname • users • w • who • whoami • lid • members

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *