# 12-A.2: chroot Jail

## What is a chroot Jail?

A chroot on Linux systems is an operation that changes the apparent root directory for the current running process and its children. The programs that run in this modified environment cannot access the files outside the designated directory tree. This essentially limits their access to a directory tree and thus they get the name “chroot jail.”

The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot system call to change the root directory to be at the base of this new tree and start the process running in that chrooted environment. Since it can’t actually reference paths outside the modified root, it can’t maliciously read or write to those locations.

Why is it required and how is it different from the virtual machines?
This is an operating-system level virtualization and is often used instead of virtual machines to create multiple isolated instances of the host OS. This is a kernel level virtualization and has practically no overhead as compared to Virtual Machines, which are an application layer virtualization. As a result it provides a very good method for creating multiple isolated instances on the same hardware. A virtual machine (VM) is a software implementation of a machine and they often exploit what is known as the Hardware Virtualization to render virtual images of a working operating system.

How to use chroot
The basic command to create a chroot jail is as follows. Steps to create a mini-jail for the ‘bash’ and the ‘ls’ command:

1. Create a directory which will act as the root of the command.

pbmac@pbmac-server $mkdir newroot pbmac@pbmac-server$ cd newroot

2. Create all the essential directories for the command to run: Depending on your operating system, the required directories may change. Logically, we create all these directories to keep a copy of required libraries. To see what all directories are required, see Step 4.

pbmac@pbmac-server $mkdir -p bin lib64/x86_64-linux-gnu lib/x86_64-linux-gnu 3.Run the ‘which’ command: Run the which command to find the location of ls and bash command. After running which command, copy those binaries in the ‘bin’ directory of our jail. Make sure you don’t have any of these commands aliased. From now on, we would be referring to our directory asJAILED directory for convenience. pbmac@pbmac-server$ unalias ls          # Required only if you have aliased ls command
pbmac@pbmac-server $unalias bash # Required only if you have aliased bash command pbmac@pbmac-server$ cp $(which ls) ./bin/ pbmac@pbmac-server$ cp $(which bash) ./bin/ 4. Copy appropriate libraries/objects: For the executables in our newroot directory to work we need to copy the appropriate libraries/objects in the JAILED directory. By default, the executable looks at the locations starting with ‘/’. To find the dependencies we use the command ‘ldd.’ pbmac@pbmac-server$ ldd $(which bash) linux-vdso.so.1 => (0x00007ffc75dd4000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f6577768000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6577564000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f657719a000) /lib64/ld-linux-x86-64.so.2 (0x000055979f3fd000) Run the following commands to create appropriate directories: pbmac@pbmac-server$ cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/x86_64-linux-gnu/
pbmac@pbmac-server $cp /lib/x86_64-linux-gnu/libdl.so.2 lib/x86_64-linux-gnu/ pbmac@pbmac-server$ cp /lib/x86_64-linux-gnu/libc.so.6 lib/x86_64-linux-gnu/
pbmac@pbmac-server $cp /lib64/ld-linux-x86-64.so.2 lib64/ So, ALL of the necessary file are copied into the new location to be a part of the chrooted environment. This is necessary because the user running in the chrooted environment cannot access the file system outside of the newroot folder. 5. Sudo chroot: Run this command to change the root to the JAILED directory, along with the path to the shell. By default it will try to load ‘/bin/sh’ shell. pbmac@pbmac-server$  cd ..
pbmac@pbmac-server $sudo chroot newroot /bin/bash You might face this error while running the chroot command: chroot: failed to run command `/bin/bash': No such file or directory This may be due to two reasons: either the file does not exist (which is obvious), or when the loading library fails or is not available. Double-check if the libraries are in the correct location. 6. A new shell must pop up: It's our newroot bash. We currently have only two commands installed, bash and ls. Fortunately cd and pwd are built-in commands in bash shell, so you can use them as well. Roam around the directory - try accessing ‘cd /../’ or something similar. Try to break the jail; probably you won’t be able to. To exit from the jail: pbmac@pbmac-server$ exit

The most important and interesting part is that, when you run,

pbmac@pbmac-server \$ ps aux

and find the process, you’ll find that there is only one process:

root     24958  …  03:21   0:00 /usr/bin/sudo -E chroot newroot/ /bin/bash

Interestingly, processes in the newroot shell run as a simple child process of this shell. All the processes inside the JAILED environment are just simple user level processes in the host OS and are isolated by the namespaces provided by the kernel. Thus there is minimal overhead and as an added benefit we get isolation.