While a chroot jail is an added layer of security, chroot shouldn’t be your only security tool. But, even complicated apps like Apache and MySQL can be run inside a chrooted environment with all dependencies accounted for. A process that needs to access and interact with user-level resources would not work well inside a chroot jail, or would require extra configuration that may make the whole setup more insecure. But since chroot requires you to manually copy over application dependencies into the jail, it’s not suitable for everything.
It’s also useful as a “budget container,” to create a subset of your operating system and run apps in an isolated environment, be it for testing, security, or ease of development. If you want to offer remote users access to parts of your system, chrooting the process is an easy way to lock down access. This is pretty useful for a service like FTP. This way, if a bug is found in Postfix, it affects Postfix, and not anything else. For example, Postfix, a mail agent, can be configured to run inside a chrooted environment with limited access to the directories it uses to communicate with the system. The main thing chroot is used for is locking away system daemons so that any security vulnerabilities in those daemons don’t affect the rest of the system. Chrooting a process accomplishes the same thing as changing the mount namespace for a process, but does so at a higher level than namespace modification. There’s nothing above root, so the command can’t access anything else.Ĭhroot doesn’t make any modifications to your disk, but it can make it appear that way from the point of view of the processes running under it. The command being run has no idea that anything outside of its jail exists, as it doesn’t have any links to it, and as far as it’s aware, is running on the root filesystem anyway.
This is usually done for security, containerization, or testing, and is often called a “chroot jail.” What Does chroot Do?Ĭhroot does one thing-run a command with a different root directory. The chroot Linux utility can modify the working root directory for a process, limiting access to the rest of the file system.
0 kommentar(er)
