قالب وردپرس درنا توس
Home / Tips and Tricks / How to use the chroot command on Linux

How to use the chroot command on Linux



  A terminal prompt on the screen of a Linux laptop.
Fatmawati Achmad Zaenuri / Shutterstock.com

The command chroot can send you to jail, keep your development or test environments isolated, or simply improve the security of your system. We show you the easiest way to use it.

What is a chroot?

When attempting to measure the usefulness of a command, you must consider the functionality and ease of use offered. If it is too complicated for people to use or too long-winded to let them try to use it, the functionality might as well be zero. If nobody uses it, it doesn't offer any functionality.

In discussions with Linux users ̵

1; personal and on forums – the command chroot seems to be one that is difficult to use, or too persnickety and annoying to set up. It seems that this great tool is not used as often as it could be.

With chroot you can set programs and interactive shells such as Bash and run them in an encapsulated file system that does not interact with your normal file system. Everything within the chroot environment is written down and contains. Nothing in the area chroot can look beyond its own special root directory without escalating to root privileges. That has given this type of environment the nickname of a chroot prison. The term "prison" should not be confused with the command prison from FreeBSD, which creates an environment chroot that is safer than the usual environment chroot . [19659006] But actually there is a very simple way to use chroot that we go through. We use regular Linux commands that work on all distributions. Some Linux distributions have special tools to set up chroot environments, such as the Ubuntu debut trap, but we are distro-agnostic here.

When should you use a chroot?

A chroot environment offers functionality similar to that of a virtual machine, but it is a lighter solution. The captive system does not require a hypervisor to be installed and configured, such as VirtualBox or Virtual Machine Manager. Neither does a kernel need to be installed in the captive system. The captive system shares your existing kernel.

In some respects, chroot environments are closer to containers such as LXC than to virtual machines. They are lightweight, quick to implement and one to make and start can be automated. Just like containers, a convenient way to configure them is to install just enough of the operating system so that you can achieve what is needed. The question "what is required" is answered by looking at how to use your chroot environment.

Some common applications are:

Software development and product verification . Developers write software and the product verification team (PV) tests it. Sometimes problems are found by PV that cannot be replicated on the developer's computer. The developer has installed all sorts of tools and libraries on their development computers that the average user – and PV – do not have. Often new software that works for the developer, but not for others, appears to use a source on the developer's PC that is not included in the software test release. chroot allows developers to have a simple vanilla-captive environment on their computer in which they can immerse the software before being given to PV. The captive environment can be configured with the absolute minimum dependencies that the software requires.

Restriction of development risk . The developer can create a special development environment so that nothing that happens in it can mess up his actual PC.

Run outdated software . Sometimes you just have to have an old version of something that is running. If the old software has requirements that conflict or are incompatible with your version of Linux, you can chroot an environment for the problem software.

Recovery and file system upgrades : If a Linux installation becomes unusable, you can use chroot to mount the damaged file system to a mount point on a Live CD. This allows you to work in the damaged system and try to repair it as if it were normally mounted on root /. This means that the expected file paths within the damaged system are correctly referenced from the root directory and not from the Live CD mount point. A similar technique was used in the article that describes how the Linux file system can be migrated from ext2 or ext3 to ext4.

Ring fencing applications . Running an FTP server or other device with an internet connection in a chroot environment limits the damage that an external attacker could cause. This can be a valuable step in improving the security of your system.

RELATED: How to migrate Ext2 or Ext3 file systems to Ext4 on Linux

Creating a chroot environment

We need a folder to act as the root of the environment chroot . So that we have a short way to refer to that folder, we make a variable and save the name of the folder. Here we set a variable to store a path to the "testroot" folder. It does not matter if this folder does not yet exist, we will create it soon. If the folder exists, it must be empty.

  chr = / home / dave / testroot 

  chr = / home / dave / testroot in a terminal window

If the folder does not exist, we have to create it. We can do that with this command. The option -p (parents) causes missing parent folders to be created simultaneously:

  mkdir -p $ chr 

  mkdir -p $ chr in a terminal window [19659006] We must create folders to contain the parts of the operating system that our chroot environment needs. We are going to set up a minimalistic Linux environment that Bash uses as an interactive shell. We also include the assignments touch rm and ls . With this we can use all built-in commands from Bash and use touch rm and ls . We can create, view and delete files and use Bash. And – in this simple example – that's all.

Make a list of the folders you must create within the {} brace extension.

  mkdir -p $ chr / {bin, lib, lib64} [19659030] mkdir -p $ chr / {bin, lib, lib64} in a terminal window " width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

Now we change the folder to our new root folder .

  cd $ chr 

  cd $ chr in a terminal window

Let's copy the binary files we need in our minimalistic Linux environment from your regular "/ bin" folder to our folder chroot "/ bin". The option -v (extended) lets cp tell us what it does while it performs every copy action.

  cp -v / bin / {bash, touch, ls, rm} $ chr 

  cp -v / bin / {bash, touch, ls, rm} $ chr in a terminal window

The files are copied for us:

 output of cp because files are copied in a terminal window

These binary files have dependencies. We must discover what they are and those that also copy files to our environment, otherwise bash touch rm and ls will not be able to function . We must do this in turn for each of our chosen assignments. We'll do Bash first. The assignment ldd shows the dependencies for us.

  ldd / bin / bash 

  ldd / bin / bash in a terminal window

The dependencies are identified and listed in the terminal window:

 Bash dependencies displayed in a terminal window

We need to copy those files to our new environment. Choosing the details from that list and copying them one by one will be time-consuming and error-prone.

Fortunately we can semi-automate it. We will re-state the dependencies and this time we will form a list. We then go through the list of copying the files.

Here we use ldd to display dependencies and to feed the results through a pipe in egrep . The use of egrep is the same as the use of grep with the option -E (extended regular expressions). The option -o (matching only) limits the output to the corresponding parts of lines. We search for matching library files that end with a number [0-9].

  list = "$ (ldd / bin / bash | egrep -o & # 39; / lib. * . Cialis19459074es & # 39;)" cialis19659049] list = "$ (ldd / bin / bash | egrep -o ' /lib.*.elko19459069] ') "in a terminal window " width="646" height="77" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

We can check the contents of the list with echo :

  echo $ list 

  echo $ list in a terminal window

Now that when we have the list, we can walk through it with the following loop and copy the files one by one. We use the variable i to scroll through the list. For each member of the list, we copy the file to our chroot directory with the value in $ chr .

The -v (extended) option causes cp to announce each copy while it is being executed. The option --parents causes missing parent directories to be created in the environment chroot .

  for i in $ list; do cp -v --parents "$ i" "$ {chr}"; done 

  for i in $ list; do cp -v --parents

And this is the output:

 output of the cp loop in a terminal window

We will use that technique to fix the dependencies for each of the other assignments. And we will use the loop technique to perform the actual copying. The good news is that we only have to do a small operation for the command that collects the dependencies.

We can retrieve the command from our command history by pressing the Up Arrow several times and then the edit. The looping copy command does not have to change at all.

Here we used the Up Arrow key to find the command, and we edited it to say touch instead of bash .

  list = "$ (ldd / bin / touch | egrep -o & # 39; / lib. * . [0-9] & # 39;)" 

  list = [19659006] We can now do the exact same loop command repeat as before:

  for i in $ list; do cp -v --parents "$ i" "$ {chr}"; done 

  for i in $ list; do cp -v --parents

And our files are copied for us:

 error of the cp loop that copies the touch dependencies in a terminal window

We can now edit the list command line for ls :

  list = "$ (ldd / bin / ls | egrep -o & # 39; / lib. * . [0-9] & # 39;) "[19659071] list =" $ (ldd / bin / ls | egrep -o '/lib.*.elko19459069]') "in a terminal window " width="646" height="77" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

Again, we will use the same loop command use. It does not matter which files are in the list. It works blindly through the list that copies the files for us.

  for i in $ list; do cp -v --parents "$ i" "$ {chr}"; done 

  for i in $ list; do cp -v --parents

And the dependencies for ls are copied for us:

 Output of the cp loop that copies the ls dependencies in a terminal window

We are editing the list command line for the last time, making it work for rm :

  list = "$ (ldd / bin / ls | egrep - o & # 39; / lib. * . cialis19459074Buch & # 39;) "cialis19659079 do cp -v --parents" $ i "" $ {chr} "; done 

The last of our dependencies are copied to our chroot environment. We are finally ready to use the command chroot . This command sets the root of the environment chroot and specifies which application will run as a shell.

  sudo chroot $ chr / bin / bash 

 sudo chroot $ chr / bin / bash in a terminal window

Our chroot environment is now active. The terminal window prompt has been changed and the interactive shell is handled by the bash shell in our area.

 Active chroot environment in a terminal window

We can try the commands that we have released into the environment.

  ls 
  ls / home / dave / Documents 

 Active chroot environment in a terminal window

The ls command works as we would expect when we expect it use in the environment. When we try to access a folder outside the environment, the command fails.

We can touch to create a file, is to display it, and rm to delete it.

  hit sample_file.txt 
  is 
  rm sample_file.txt 
  is 

 hit sample_file.txt in a terminal window

Or of course we can also use the built-in commands that offers the Bash shell. If you type help on the command line, Bash displays them for you.

  help 

 Execution of the help command in a terminal window

Use exit to leave the chroot environment:

  exit 

 use exit to leave the chroot environment in a terminal window

If you change the chroot [19459010wiltverwijderen] environment, you can easily remove it:

  rm -r testroot / 

 rm -r testroot / in a terminal window

This recursively deletes the files and folders in the chroot environment.

Automate for convenience

If you think that chroot environments may be useful to you, but that they are a bit tricky to set up, remember that you can take the pressure off and risk always eliminate repetitive tasks by using aliases, functions and scripts.

RELATED: How to Create Aliases and Shell Functions on Linux




Source link