لطفا منتظر باشید ...
Necessary chroot Environment Files
The first task in configuring a server to
operate in a chroot jail is to prepare the jail. This means you must create an
appropriate directory tree, copy system files, and copy the server's files. In some
sense, you set up a miniature Linux system in the chroot jail, but this
miniature system is missing most of the programs and configuration files that
make up a normal Linux system.NOTE
align=left border=0> This section describes the process of
setting up the chroot environment in a relatively abstract way. The next section,
"
Jail ," provides a more concrete look at
server configuration, including an example of running BIND in a chroot jail.
Preparing a
Directory Tree
A chroot jail needs a
directory to call its own. In principle, you can place this directory anywhere
in the Linux filesystem tree, except for pseudo-filesystem directories like /proc . If your
server needs to be able to write files, the chroot directory tree
must exist on a read/write medium. The examples in this chapter use /opt/chroot as
the root of the chroot jail, but this is an arbitrary placement.Within your chroot tree, you should
create directories modeled after those of the normal Linux root directory,
including subdirectories. Chances are you'll need only a small subset of the
directories needed in a regular Linux installation, though. Common directories
you might need to create include /bin , /sbin , /usr , /lib , /etc , and /var . You may
need to add to this directory list as you add server-specific files. You should
not populate these directories with all the
files that reside in their regular counterparts; much of the point of running
in a chroot jail is to deprive a would-be cracker of access to the regular mix
of tools available in these directories.If you want to run multiple chroot servers, you should create a separate chroot tree for each one.
For instance, you might create /opt/chroot/ftp and /opt/chroot/sendmail .
Copying Server Files
Once you've created a basic chroot jail
directory tree, you need to copy files into that tree. There are actually two
different conditions that may apply. First, the server may directly support chroot operations. In this case, it may not be necessary to copy the server's
executable to the chroot jail. Instead, you run the server from outside the jail, but tell
it where the jail is. The server then issues a chroot() command
internally, and thereafter it's locked into the jail. The server might read its
configuration files from outside of the jail, too, so this operation can be
nearly transparentyou only need to provide the jail itself and whatever files
the server needs during normal operation. FTP servers often lock themselves
into chroot jails in this way, particularly when they run as anonymous FTP
servers.
Running FTP Servers, covers anonymous FTP server operation, including setting
up the necessary chroot jail directory.The other option is to run a server that
doesn't include built-in chroot support by using the chroot program. In this approach, you must
copy the server executable file, its configuration files, and any files it
requires during normal operation to the jail. You'll also have to copy some
more general system files, as described in the next section, "
because there's no simple rule that will always find the necessary files. You
may be able to find leads by checking the server's documentation and by
examining the list of files that come with the distribution package. For
instance, you can use tar , rpm , or dpkg to find the files in the original server package. You may not need
to copy all of these files. For instance, you
can leave documentation files outside of the chroot jail. Another
trick is to use the strace program to discover what files a server opens. You can run the
server with a command like strace serverprog and examine the output to discover what serverprog is doing, including what files it's opening.NOTE
align=left border=0> Although I refer to copying files, you may ultimately want to move them instead. This will guarantee that your
server is running from the jail, at least if your configuration files use
absolute references to other files, such that they won't work except in a chroot environment. Creating hard links, if the jail is on the same partition as the
main files, may also be an option. (Symbolic links won't work if they lead
outside of the jail.) On the other hand, creating a chroot jail
in its own partition offers some security advantages because it's then impossible
to create hard links outside of the chroot environment,
thus reducing the risk of a server compromise being used to modify outside
files.
Copying System
Files
After you've copied the basic server files to
the chroot jail, you must copy any general-purpose Linux system files upon
which the server depends. Precisely what files are needed varies from one
server to another, but some common files you might need include the following: Libraries Many servers rely upon dynamically linked libraries. These are
usually stored in /lib , or occasionally /usr/lib . You can discover what libraries a given server requires by using
the ldd command, as in ldd /usr/sbin/named . You should copy
any files listed by this command to equivalent directories in the chroot jail. Support programs Some servers rely on support programs. For instance, a Web server
that supports scripting relies upon the scripting language executable (such as /usr/bin/perl ),
and perhaps files that support this executable. You must copy these support
programs to appropriate directories in the chroot jail. You must
also locate and copy the libraries upon which the support programs rely. In
some cases, such as scripting languages used by Web servers, you'll actually
copy more support program files than server files into the chroot jail. Device files Some servers may rely upon access to hardware device files. For
instance, a backup server needs access to your tape device file. A few
libraries and programs require access to special-purpose device files like /dev/zero or /dev/null . Device
files are normally found in /dev . They can't be copied like ordinary files; instead, you should
recreate them in the chroot jail by using the mknod command, as in mknod /opt/chroot/dev/st0 c 9 0 . Note that many device files provide great power, so you shouldn't
create device files in a chroot environment unless they're absolutely necessary. Special filesystems A few servers may rely upon special filesystems or filesystem
manipulation tools. In particular, some servers need access to the /proc filesystem.
You can't copy this directory like most others. Instead, you must create a
duplicate entry in /etc/fstab for this filesystem, but mounted within the chroot jail.Do not remove the original /proc filesystem,
though;duplicate it! Other non- chroot programs still require /proc in its usual location. If you can avoid it, you shouldn't duplicate
/proc in this way, because it includes pseudo-files that could give an
attacker substantial power over your computer, even from within a chroot jail. User database files Some servers require access to the /etc/passwd , /etc/group , /etc/shadow ,
and similar group database information files. Servers that use the Pluggable
Authentication Module (PAM) approach to authentication require the entire PAM
infrastructure, including the /etc/pam.conf file, the contents of /etc/pam.d and
/etc/security , and various libraries with pam in their names in /lib and /lib/security .
Check your PAM package's contents for clues about what you might need to
duplicate. (This package is often called libpam .) Logging files If the server creates log files, you should create an appropriate
directory for them. Some servers rely upon syslogd to do their
logging, so you may need to copy this daemon and all its support files into the
chroot jail. Some servers can be configured to do their own logging, even
if they ordinarily rely upon syslogd .For servers that include explicit internal chroot() support, chances are good that you'll need to copy fewer system files than for
servers that don't include this support. The servers that include internal chroot() calls
can often load libraries, system files, and so on before running, and so don't
need files to be stored in their chroot environments, even if those files
are required for ordinary operation.TIP
align=left border=0> For best security, take a minimal approach
to support files. Copy only those files you're reasonably certain the server
requires, then try running the server (perhaps with a debugging option to
produce extra debugging output on the console, if the server supports such an
option). This should give you some clues about what extra files might be
required; for instance, the server might complain that it can't find a
configuration file. Add more files as necessary, and you should end up with
the minimal configuration that works.
