open.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Open Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

Unix Tip: Creating the chrooted file system

ITworld 11/13/2007

Sandra Henry-Stocker, ITworld.com

Send in your Unix questions today! | See additional Unix tips and tricks

There are a quite a few steps involved in setting up a chrooted environment. As was described in last week's column, the process requires that you set up what is essentially a mini-operating system to support whatever application your jailed user is going to be running in the padded cell that you provide.

One of the first things you must do is create a directory for your chrooted file system. For the chrooted ftp user this column is considering, we will create a directory that is distinct from the home directories of our regular users: 

  # mkdir -p /chrooted/grilli
  # chmod 555 /chrooted/grilli
Next, we will provide the basic directories that our jailed user is going to need. This setup doesn't need to be elaborate. It just needs to include a small set of standard directories. Since /chrooted/grilli will appear to this user as /, we build his /usr/bin, /usr/lib and other directories in this newly created directory: 



  # cd /chrooted/grilli
  # mkdir -p usr/bin usr/lib etc dev
  # ln -s usr/bin bin
  # ln -s usr/lib lib
  # chgrp -R sys etc/
Before we copy binaries, we must determine what libraries they will require. One way to do this for a particular command is to run the pldd command. To view the libraries used by an Apache daemon, for example, you would run this command against the Apache binary, the httpd file as shown here: 



  # ldd /opt/apache/bin/httpd
  libsocket.so.1 => /usr/lib/libsocket.so.1
  libnsl.so.1 => /usr/lib/libnsl.so.1
  libpthread.so.1 => /usr/lib/libpthread.so.1
  libexpat.so.0 => /usr/local/lib/libexpat.so.0
  libc.so.1 => /usr/lib/libc.so.1
  libdl.so.1 => /usr/lib/libdl.so.1
  libmp.so.2 => /usr/lib/libmp.so.2
  libthread.so.1 => /usr/lib/libthread.so.1
The output above shows that the Apache daemon makes use of eight separate library files. As an aside, you can retrieve the same type of information from running process using the pldd command. Notice how we get the same list of libraries when we ask about a running Apache process: 

  # pldd 1543
  1543: /opt/apache/bin/httpd
  /usr/lib/libsocket.so.1
  /usr/lib/libnsl.so.1
  /usr/lib/libpthread.so.1
  /usr/local/lib/libexpat.so.0.1.0
  /usr/lib/libc.so.1
  /usr/lib/libdl.so.1
  /usr/lib/libmp.so.2
  /usr/lib/libthread.so.1
  /usr/lib/nss_files.so.1
If there is need for a /tmp directory, you can add one easily: 

  # mkdir -p tmp
  # chmod 777 tmp
  # chmod +t tmp
Now, let's set up the special Solaris device files: 

  # chmod 666 dev/*
  # chgrp -R sys dev
  # mknod dev/null c 13 2
  # mknod dev/zero c 13 12
  # mknod dev/tcp c 42 0
If you want to set up the timezone for the account, you can copy the timezone file for your area from the /usr/share/lib/zoneinfo directory: 

  # mkdir -p usr/share/lib/zoneinfo
  # cp -pi /usr/share/lib/zoneinfo/`date +%Z` usr/share/lib/zoneinfo/
Finally, we will give your jailed user the binaries he will need: 


  # cp /usr/bin/cd usr/bin
  # cp /usr/bin/ls usr/bin
  # chmod 111 usr/bin/*
To ensure these command will work, we then copy the shared libraries we have determined will be required: 



  # cp -pi /usr/lib/ld.so.1 usr/lib
  # cp -pi /usr/lib/libc.so.1 usr/lib
  # cp -pi /usr/lib/libdl.so.1 usr/lib
  # cp -pi /usr/lib/libgen.so.1 usr/lib
  # cp -pi /usr/lib/libintl.so.1 usr/lib
  # cp -pi /usr/lib/libmp.so.1 usr/lib
  # cp -pi /usr/lib/libnsl.so.1 usr/lib
  # cp -pi /usr/lib/libsocket.so.1 usr/lib
  # cp -pi /usr/lib/libw.so.1 usr/lib
  # cp -pi /usr/lib/nss_compat.so.1 usr/lib
  # cp -pi /usr/lib/nss_dns.so.1 usr/lib
  # cp -pi /usr/lib/nss_files.so.1 usr/lib
  # cp -pi /usr/lib/nss_nis.so.1 usr/lib
  # cp -pi /usr/lib/nss_nisplus.so.1 usr/lib
  # cp -pi /usr/lib/straddr.so usr/lib
When you create your new user, you should add the user both to the system passwd and shadow files and to the same files in the user's chrooted environment. 

  # echo 'grilli:x:8002:8080:grilli:/world/home/chroot/./:/bin/ftponly' \
  >> /etc/passwd
  # grep ^grilli /etc/passwd >> etc/passwd
  # echo 'grilli:OpcGU8ryX0MN2:13823:28:182::::' >> /etc/shadow
  # grep ^grilli /etc/shadow >> etc/shadow
  # echo 'guests:x:8080:' > etc/group
The system /etc/passwd and /etc/shadow files allow the user to log in to the system (in our case, only with ftp). The local files are for use by your chrooted application.

You can test your environment by doing this: 

  # chroot /chrooted/grilli /bin/ls
  bin dev etc tmp usr
  datafile downloads lib uploads
If you try a command that hadn't been set up, like "date" for example, you will get a "No such file or directory" error because the chrooted environment doesn't know anything about this command. 

  # chroot /chrooted/grilli /bin/date 
  chroot: No such file or directory
If you add the date command to the chrooted /usr/bin, the command will work: 

  # chroot /world/home/chroot /bin/date
  Sat Nov 10 21:17:06 US/Eastern 2007
For ftp, the process for setting up a chrooted environment involves a number of steps but, taken one at a time, none of the steps are particularly troublesome. For other services, you need to determine what the particular applications require and then follow the same basic steps.

On this topic
Unix Tip: Reassembling Very Large "split" Files
Unix Tip: Experimenting with Rsync
Unix Tip: Shuffling file systems with rsync
Building a Monitoring Infrastructure with Nagios
Get practical tips, IT news, how-tos, and the best in tech humor.

 

 Sandra Henry-Stocker has been administering Unix systems for more than 18 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She currently works for TeleCommunication Systems, a wireless communications company, in Annapolis, Maryland, where no one else necessarily shares any of her opinions. She lives with her second family on a small farm on Maryland's Eastern Shore. Send comments and suggestions to bugfarm@gmail.com.
Sponsored Links

Sign up for a Microsoft Dynamics® CRM WEBCAST
Hear globally recognized leaders in customer strategy discuss the importance and evolution of CRM.
TRY NEW SUN SERVERS FREE for 60 Days!
Test The Latest Sun Servers In Your Environment BEFORE YOU BUY. Pay Nothing, Not Even Shipping.
Workflow Enabled Help Desk & IT Service Management
Automate service desk activities and integrate processes across IT. Learn more here.
Sign up for a FREE NETWORK RISK ASSESSMENT!
MORE THAN 70% OF NETWORKS ARE INFECTED by hidden Malware. Find out if your network is infected now!
Enterprise IP Goes Mobile
To maximize full productivity, companies must integrate their mobile applications with the IP network.
» Buy a link now

Advertisements
Sponsored links
Top 5 Reasons to Combine App Performance and Security
Locate Hidden Software on business PCs with this free tool
KODAK i1400 Series Scanners stand up to the challenge
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Home  Open source Operating systems Unix
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.