As the name implies, a chroot operation changes the apparent root directory for a running process and its children. It allows you to run a program (process) with a root directory other than /. The program cannot see or access files outside the designated directory tree.
For example, you can run a program and specify its root directory as /home/oracle/jail. In this case, the program’s root directory is actually /home/oracle/jail. The program would not be aware of, or able to access, any files above this directory in the hierarchy. This artificial root directory is called a chroot jail. Its purpose is to limit the directory access of a potential attacker. The chroot jail locks down a given process and any user ID it is using so that the user sees only the directory that the process is running in. To the process, it appears that it is running in the root directory.
Running DNS and FTP Services in a chroot Jail
Two services are set up to take advantage of chroot jails. You can set up DNS so that named runs in a jail. The vsftpd FTP server can automatically start chroot jails for clients.
DNS in chroot Jail
The bind-chroot package allows you to set up named to run in a chroot jail. When you install this package, the /var/named/chroot directory is created and becomes the chroot jail directory for all BIND files.
- The /var/named directory becomes /var/named/chroot/var/named.
- /etc/named* files become /var/named/chroot/etc/named* files.
Installing this package also sets the ROOTDIR shell variable to /var/named/chroot in the /etc/sysconfig/named file. The advantage of running named in a chroot jail is that if a hacker enters your system via a BIND exploit, the hacker’s access to the rest of your system is isolated to the files under the chroot jail directory.
FTP Clients in chroot Jail
By default, anonymous users are placed in a chroot jail. When an anonymous user logs in to a vsftpd server, the user’s home directory is /var/ftp. However, all that the user sees is/.
For example, a directory named /var/ftp/upload appears as /upload to an anonymous user. This prohibits anonymous users from being able to access any files above /var/ftp in the directory hierarchy.
Local users that access a vsftpd server are placed in their home directory. You can enable options in the /etc/vsftpd/vsftpd.conf file to put local users in a chroot jail, where the artificial root directory is the user’s home directory. The following options exist in the vsftpd configuration file to implement a chroot jail for local users:
- chroot_list_enable
- chroot_local_user
- chroot_list_file
When a local user logs in to the vsftpd server, the chroot_list_enable directive is checked. If this directive is set to YES, the service checks the /etc/vsftpd/chroot_list file (by default) or another file specified by the chroot_list_file directive.
Another directive is then checked, chroot_local_user. If this directive is set to YES, then the chroot_list becomes a list of users to NOT chroot. If this directive is set to NO, the user is put into a chroot jail in his home directory.