chroot (change root) is an isolation facility towards a process from
Linux kernel. chroot changes the root (/) filesystem for one process
into another directory. People calls chroot as jail, an environment when a process works only inside and can't see outside. In practice, creating a chroot environment is likely copying a program and its dependencies
inside a directory then performing chroot command. In other words,
chroot is likely creating a little clone of whole original system inside
a directory. In Linux, chroot needs root user. You
will see it. I will tell how to do chroot for bash by example. This
tutorial is applicable to another Linux distributions such as Linux Mint
or Debian.
Overview
- We will create chroot for bash (GNU Bourne Again Shell).
- My $HOME is /home/master.
- Here, I always use absolute paths to help distinguish between the original system and chroot system.
- What we will do are copying program and its dependencies. So before those, we need to set the directories structure.
- I write this article based on Ubuntu 14.04 32 bit.
1. Setting The Directory
mkdir box
mkdir -p /home/master/box/{bin,lib}
pwd
ls -R
Explanation: we must create the jail directories first. To clone the original system, we need at least bin and lib directory inside the jail. Using pwd and ls -R will help you see where are you and what directories inside.
2. Copying Program
cp -v /bin/bash /home/master/box/binExplanation: we want to create jail for bash. So we copy bash from /bin/bash (original system) into /home/box/bin/ (chroot system).
3. Copying Program's Dependencies
ldd /bin/bash
cp /lib/i386-linux-gnu/{library1,library2,library3} /lib/ld-linux.so.2 /home/master/box/lib
Explanation:
ldd will trace what libraries a program need. By invoking ldd
/bin/bash, we know 4 library files. Copy those 4 library files into /home/master/box/lib.
In this experiment, I don't create i386-linux-gnu directory in chroot
system but it works anyway. Notice that if you do this tutorial in
another Linux distributions, or another Ubuntu version, you probably
have different library directory.
4. chroot
cd /home/master/box pwd ls -R sudo chroot /home/master/box /bin/bashExplanation: notice the /bin/bash path. This is already chroot system path, not our original system path. This command will invoke bash from /home/master/bin/bash, not from our Ubuntu /bin/bash. Don't remove the first slash (/) of /bin/bash or your chroot will fail. Do this command on root of our chroot directory structure (/home/master/box). And use sudo or it will fail too. Notice that your bash prompt will change into bash-x.y# (with x.y is its version number).
5. Do Something Inside chroot
bash --version ls rm mkdir pwd bash --helpExplanation: to help understand more about chroot jail, now execute some commands. You will notice any command outside chroot bash will fail (error: command not found). Only bash and its built-in command can be invoked. This means our chroot jail is success. The chroot bash can't see any directory outside our /home/master/box. We've succeed to isolate bash inside a chroot jail.
6. Exit chroot
exitExplanation: to exit chroot jail, in chroot bash, type exit.
