laforge@gnumonks.org
All flavors of UNIX provide a systemcall, called chroot(). This changes the root point of the filesystem as it appears to the current process to another directory than "/".
For more information see the chroot(2) manpage of Linux
Basically, it is a security enhancement. The process(es) running inside the chroot system exist inside another environment than those outside. The only thing "inside" and "outside" share is the kernel. All libraries, utilities,
If You want to provide other users some kind of access, but hide most of the system from them, chroot() is Your friend.
This depends on the setup. As long as a process is running as root, it can always leave the chroot().
A process running as any user other than "root" cannot leave the chroot() by any means. But if there is a local-root exploit (i.e. the process can gain superuser access due to a bug in the operating system),
So as long as Your server software is not too buggy and the operating system has no exploitable security holes, the chroot() environment is safe.
You need everything the process (in case of this howto the apache webserver and the proftpd ftp server) needs beside the kernel.
Usually this inclues
Well, the first and obvious thing is to copy all the neccessary files from the real-root to the chroot. This is what many people still do today. This has some inherent disadvantages:
So the more clean approach is to install RPM itself inside the chroot() and afterwards install the whole system using the ready-made binary RPMs. This is the same like what the normal RedHat installation procedure does if You are installing on a new system.
At first You have to create the chroot directory (called $ROOT in this document)
In order to make RPM work, it'll need the rpm database directory beneath $ROOT, so You have to create it using
mkdir -p $ROOT/var/lib/rpm
All the packages are to be installed using
rpm --root $ROOT [filename]
The list of packages I suggest to install (in chronological order):
setup filesystem basesystem ldconfig glibc mktemp termcap ncurses info fileutils bash && libtermcap gdbm tcsh perl chkconfig textutils mailcap apache mod_perl cracklib cracklib-dicts pwdb glib gawk pam --nodeps shadow-utils slang util-linux --nodeps sh-utils zsh sed bzip2 popt zlib rpm
As ProFTPd is still not included in the RedHat distribution, I got the latest RPM's from the ProFTPd site http://www.proftpd.net and installed them
proftpd-core proftpd-standalone
After the installation of all the packages we have to do some configuration.
As the authentication and uid/gid resolving is done in userspace, we need a valid authentication source inside our chroot() environment. Traditionally this is information is stored in $ROOT/etc/passwd and $ROOT/etc/group, but You can configure any source using PAM and a MySQL / LDAP / whatever auth module.
This HOWTO covers just the traditional case.
So create all the users and groups You need in $ROOT/etc/group and $ROOT/etc/passwd :)
Apache and ProFTPd may want to resolve hostnames to ip addresses and vice-versa,so You have to configure at least one valid source for name service lookups. Usually DNS is used, so just enter the DNS information into $ROOT/etc/resolv.conf.
Just configure apache / ProFTPd / ... the same way You would configure them if they were running on a normal system. Just always remember that the configfiles are paresd from a process running already inside Your $ROOT. So all absolute pathnames refer to $ROOT instead of the real-root.
Server startup is done inside the chroot() environment.
If You've installed a shell inside Your chroot(), just run the following command as root
chroot $ROOT
You are now running a shell inside Your chroot(). Just try to "cd /" and look around. You are jailed to the chroot() directory. Start Your apache using the "httpd" command and proftpd using the "proftpd" command. Then exit Your chroot() using the "exit" command and look if the servers are running.
Attention: You cannot bind to a port which is already in use outside the chroot().