Security Handbook/Chrooting and Virtual Servers

Chrooting
Chrooting a service is a way of limiting a service (or user) environment to only accessing what it should and not gaining access (or information) that could lead to root access. By running the service as another user than  an attacker can only access files with the permissions of this user. This means that an attacker cannot gain access even if the services has a security flaw.

Some services like and  have features for chrooting, and other services do not. If the service supports it, use it, otherwise you have to figure out how to create your own. Lets see how to create a chroot, for a basic understanding of how chroots work, we will test it with (easy way of learning).

Create the directory with. And find what dynamic libraries that is compiled with (if it is compiled with  this step is not necessary):

The following command will create a list of libraries used by.

Now let's create the environment for.

Next copy the files used by  to the chrooted  and copy the bash command to the chrooted  directory. This will create the exact same environment, just with less functionality. After copying try it out:. If you get an prompt saying it works! Otherwise it will properly tell you what a file is missing. Some shared libraries depend on each other.

You will notice that inside the chroot nothing works except. This is because we have no other commands in out chroot environment than bash and is a build-in functionality.

This is basically the same way you would create a chrooted service. The only difference is that services sometimes rely on devices and configuration files in. Simply copy them (devices can be copied with ) to the chrooted environment, edit the init script to use chroot before executing. It can be difficult to find what devices and configuration files a services need. This is where the command becomes handy. Start the service with bash and look for open, read, stat and maybe connect. This will give you a clue on what files to copy. But in most cases just copy the passwd file (edit the copy and remove users that has nothing to do with the service),, and.

User Mode Linux
Another way of creating a more secure environment is by running a virtual machine. A virtual machine, as the name implies, is a process that runs on top of your real operating system providing a hardware and operating system environment that appears to be its own unique machine. The security benefit is that if the server running on the virtual machine is compromised, only the virtual server is affected and not the parent installation.

For more information about how to setup User Mode Linux consult the User Mode Linux Guide.