Chroot
Encyclopedia
A chroot on Unix
operating system
s is an operation that changes the apparent root directory
for the current running process and its children
. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call
or the chroot(8) wrapper program. The modified environment is called a "chroot jail".
in 1979, and also added to BSD by Bill Joy
on 18 March 1982 – 17 months before 4.2BSD was released – in order to test its installation and build system.
Testing and development : A test environment can be set up in the chroot for software that would otherwise be too risky to deploy on a production system.
Dependency control : Software can be developed, built and tested in a chroot populated only with its expected dependencies. This can prevent some kinds of linkage skew that can result from developers building projects with different sets of program libraries installed.
Compatibility : Legacy software or software using a different ABI
must sometimes be run in a chroot because their supporting libraries or data files may otherwise clash in name or linkage with those of the host system.
Recovery : Should a system be rendered unbootable, a chroot can be used to move back into the damaged environment after bootstrapping from an alternate root file system (such as from installation media, or a Live CD
).
Privilege separation : Programs are allowed to carry open file descriptor
s (for files, pipelines
and network connections) into the chroot, which can simplify jail design by making it unnecessary to leave working files inside the chroot directory. This also simplifies the common arrangement of running the potentially-vulnerable parts of a privileged program in a sandbox, in order to pre-emptively contain a security breach. Note that chroot is not necessarily enough to contain a process with root privileges.
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s is an operation that changes the apparent root directory
Root directory
In computer file systems, the root directory is the first or top-most directory in a hierarchy. It can be likened to the root of a tree — the starting point where all branches originate.-Metaphor:...
for the current running process and its children
Child process
A child process in computing is a process created by another process .A child process inherits most of its attributes, such as open files, from its parent. In UNIX, a child process is in fact created as a copy of the parent...
. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
or the chroot(8) wrapper program. The modified environment is called a "chroot jail".
History
The chroot system call was introduced during development of Version 7 UnixVersion 7 Unix
Seventh Edition Unix, also called Version 7 Unix, Version 7 or just V7, was an important early release of the Unix operating system. V7, released in 1979, was the last Bell Laboratories release to see widespread distribution before the commercialization of Unix by AT&T in the early 1980s...
in 1979, and also added to BSD by Bill Joy
Bill Joy
William Nelson Joy , commonly known as Bill Joy, is an American computer scientist. Joy co-founded Sun Microsystems in 1982 along with Vinod Khosla, Scott McNealy and Andy Bechtolsheim, and served as chief scientist at the company until 2003...
on 18 March 1982 – 17 months before 4.2BSD was released – in order to test its installation and build system.
Uses
A chroot environment can be used to create and host a separate virtualized copy of the software system. This can be useful for:Testing and development : A test environment can be set up in the chroot for software that would otherwise be too risky to deploy on a production system.
Dependency control : Software can be developed, built and tested in a chroot populated only with its expected dependencies. This can prevent some kinds of linkage skew that can result from developers building projects with different sets of program libraries installed.
Compatibility : Legacy software or software using a different ABI
Application binary interface
In computer software, an application binary interface describes the low-level interface between an application program and the operating system or another application.- Description :...
must sometimes be run in a chroot because their supporting libraries or data files may otherwise clash in name or linkage with those of the host system.
Recovery : Should a system be rendered unbootable, a chroot can be used to move back into the damaged environment after bootstrapping from an alternate root file system (such as from installation media, or a Live CD
Live CD
A live CD, live DVD, or live disc is a CD or DVD containing a bootable computer operating system. Live CDs are unique in that they have the ability to run a complete, modern operating system on a computer lacking mutable secondary storage, such as a hard disk drive...
).
Privilege separation : Programs are allowed to carry open file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
s (for files, pipelines
Pipeline (Unix)
In Unix-like computer operating systems , a pipeline is the original software pipeline: a set of processes chained by their standard streams, so that the output of each process feeds directly as input to the next one. Each connection is implemented by an anonymous pipe...
and network connections) into the chroot, which can simplify jail design by making it unnecessary to leave working files inside the chroot directory. This also simplifies the common arrangement of running the potentially-vulnerable parts of a privileged program in a sandbox, in order to pre-emptively contain a security breach. Note that chroot is not necessarily enough to contain a process with root privileges.
Limitations
- The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out. To mitigate the risk of this security weakness, chrooted programs should relinquish root privileges as soon as practical after chrooting, or other mechanisms – such as FreeBSD JailsFreeBSD JailThe FreeBSD jail mechanism is an implementation of operating system-level virtualization that allows administrators to partition a FreeBSD-based computer system into several independent mini-systems called jails....
- should be used instead. Note that some systems, such as FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, take precautions to prevent the second chroot attack. - On systems that support device nodes on ordinary filesystems, a chrooted root userSuperuserOn many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
can still create device nodes and mount the file systems on them; thus, the chroot mechanism is not intended by itself to be used to block low-level access to system devices by privileged users. - At startup, programs expect to find scratch spaceScratch spaceScratch space is space on the hard disk drive that is dedicated for only temporary storage. It cannot be used to permanently backup files. Scratch disks can be set to erase all data at regular intervals so that the disk space is left free for future use...
, configuration files, device nodes and shared libraries at certain preset locations. For a chrooted program to successfully start, the chroot directory must be populated with a minimum set of these files. This can make chroot difficult to use as a general sandboxing mechanism. - Only the root userSuperuserOn many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
can perform a chroot. This is intended to prevent users from putting a setuidSetuidsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
program inside a specially-crafted chroot jail (for example, with a fake /etc/passwd and /etc/shadow file) that would fool it into a privilege escalationPrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
. - The chroot mechanism in itself also is not intended to restrict the use of resources like I/OInput/outputIn computing, input/output, or I/O, refers to the communication between an information processing system , and the outside world, possibly a human, or another information processing system. Inputs are the signals or data received by the system, and outputs are the signals or data sent from it...
, bandwidth, disk space or CPU time. Most Unixes are not completely file system-oriented and leave potentially disruptive functionality like networking and process control available through the system call interface to a chrooted program.
Extensions
Some Unixes offer extensions of the chroot mechanism to address at least some of these limitations. See:- Implementations of operating system-level virtualization technology
Graphical Applications on chroot
It is possible to run graphical applications on a chrooted environment, using methods such as:- Use xhost (or copy the secret from .Xauthority)
- Use a nested X server like XnestXnestXnest is an X Window System server that shows its output in a window. In other words, Xnest opens a window that works like another screen in which the user can open windows, etc....
or the more modern XephyrXephyrIn computing, Xephyr is a KDrive-based X server which targets a window on a host X Server as its framebuffer.- Features :Unlike the similar Xnest, Xephyr supports modern X extensions such as composite, damage, randr, etc. It uses SHM images and shadow framebuffer updates to provide good...
(or start a real X server from inside the jail) - Access the chroot via SSHSecure ShellSecure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
using the X11 forwarding (ssh -X) feature - use openroot if your X server has been started with -nolisten tcp and if you do not run an ssh server
- using an X11 VNC server and connecting a VNC client outside the environment.
Notable applications
- The PostfixPostfix (software)In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
mail transfer agent operates as a pipeline of individually-chrooted helper programs. - Like 4.2BSD before it, the Debian and Ubuntu internal package-building farms use chroots extensively to catch unintentional build dependencies between packages. SUSESUSE Linux distributionsSUSE Linux is a computer operating system. It is built on top of the open source Linux kernel and is distributed with system and application software from other open source projects. SUSE Linux is of German origin and mainly developed in Europe. The first version appeared in early 1994, making...
uses a similar method with its build program. Fedora, Red Hat, and various RPM-based distributions build all RPMs using a chroot tool such as mock. - Many FTP servers for POSIX systems use the chroot mechanism to sandbox untrusted FTP clients. This may be done by forking a process to handle an incoming connection, then chrooting the child (to avoid having to populate the chroot with libraries required for program startup).
- If privilege separation is enabled, the OpenSSHOpenSSHOpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
daemon will chroot an unprivileged helper process into an empty directory to handle pre-authentication network traffic for each client. The daemon can also sandbox SFTP and shell sessions in a chroot (from version 4.9p1 onwards).
See also
- List of Unix programs
- Operating system-level virtualizationOperating system-level virtualizationOperating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
- Sandbox (computer security)Sandbox (computer security)In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
- sudoSudosudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user...