
	Where results make sense

Topic: Chroot

Related Topics

chroot jail

In the News (Fri 17 Feb 12)

EXECUTIVE POWER

Iran

ANALYSIS

Pakistan

Family compact

	Securing Debian Manual - Chroot environment for SSH
		Chrooting the ssh users, by properly configuring the ssh daemon you can ask it to chroot a user after authentication just before it is provided a shell.
		Chrooting the ssh server, since you chroot the ssh application itself all users are chrooted to the defined environment.
		Notice that, unlike the case in which you setup a per-user chroot, the ssh daemon is running in the same chroot as the users so there is at least one potential process running as root which could break out of the chroot.
	www.debian.org /doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html (1639 words)

	Chroot - Wikipedia, the free encyclopedia
		In practice, chrooting is complicated by programs expecting at startup to find scratch space, configuration files, device nodes and shared libraries at certain preset locations.
		To allow programs to spawn inside the chroot directory, it must be populated with a minimum set of these files, preferably carefully chosen so as not to allow unintended access to the outside system.
		A chroot can be used as a pre-emptive way of containing a security breach by preventing a would-be attacker from doing any damage or probing the host system with a compromised program.
	en.wikipedia.org /wiki/Chroot (584 words)

	Building a Secure User Environment with SSH ChRootGroups
		Should the daemon be compromised, a properly chrooted environment will minimize the damage an attacker can do, or at least serve as another obstacle in their path.
		Chroot is also a popular feature in many ftp daemons; granting users access to only a limited portion of the filesystem.
		Thus far, chroot has not been widely used for creating secure user environments; the difficulties involved with creating a functional cage are an obstacle that still needs to be overcome.
	www.securityfocus.com /infocus/1404 (2713 words)

	ONLamp.com: Securing Systems with chroot
		This environment is known as a chroot jail.
		This is why, when chrooting a process, the user ID should always be changed to a non-privileged user.
		To patch a chroot'ed environment the only solution I see is to install the patch in the non-chrooted environment and to replace (manually again !!) the vulnerable libraries, executable and configuration files.
	www.onlamp.com /pub/a/bsd/2003/01/23/chroot.html (1380 words)

	Building the LNX-BBC in a known-good chroot environment. (Site not responding. Last check: 2007-11-02)
		A copy of this chroot is at http://zork.net/~sneakums/Debian-3.0r1.tar.bz2; it's about 34M compressed, 125M uncompressed, and contains all of the packages I have found necessary to complete a build (for reference: the Debian base system, plus build-essential, rsync, wget, bison, flex, texinfo, gettext, unzip, bzip2, ccache and bin86).
		Using the chroot is fairly straightforward, although I should really wrap some of this up in a script for convenience.
		This is especially important for the unpacking of the chroot, since otherwise device nodes will not be created and the permissions will be all wrong.
	www.lnx-bbc.org /chroot.html (561 words)

	lf225, SystemAdministration: Chrooting All Services in Linux (Site not responding. Last check: 2007-11-02)
		The reason why I consider chroot (with a non-root service) to be a line of defense is, if someone breaks in under a non-root account, and there are no files which they can use to break into root, then they can only limit damage to the area they break in.
		Also, you can chroot the the service you are installing and manually start it to see what errors you get or look at its log files.
		I am in 100% complete support of the idea that all services should be chrooted with non-root accounts and that any distribution that doesn't do this is less than proper for me to use in a production environment.
	www.linuxfocus.org /English/January2002/article225.shtml (2158 words)

	TWikIWeThey . Main . DebianChrootInstall (Site not responding. Last check: 2007-11-02)
		A chroot changes the system root for the chrooted process (your chroot shell) and its children.
		So while you will be configuring, say, networking and module support for the new install while in the chroot, you won't actually be applying these configurations until after you boot into the chroot (or move the chroot drive to a target system and boot it).
		Your chroot mountpoint itself is generally not mounted under the chroot, but under the host system.
	twiki.iwethey.org /twiki/bin/view/Main/DebianChrootInstall (3071 words)

	CHROOT (Site not responding. Last check: 2007-11-02)
		For a trivial chroot, nothing in the new environment will work, since programs no longer have access to any hardware or operating system libraries or services.
		It is used to halt crackers, or to test new and as yet unreliable programmes which might otherwise trash the system.
		It is licensed under the GNU free documentation license.
	www.yotor.org /wiki/en/ch/Chroot.htm (251 words)

	Security Pipeline \| Secure Enterprise \| How-To \| Deployment Guide: Jail Time
		Chroot creates a holding cell, known as chroot jail, for a user's session, such as an FTP session.
		Chroot, meanwhile, assumes users (except the root user, who's exempt from chroot) connect for specific, limited functions, such as FTP or HTTP, and can't be trusted.
		Although any service can utilize chroot, the accompanying steps focus on installing and configuring chroot for FTP, which is commonly exploited because of security holes in the protocol and implementations.
	nwc.securitypipeline.com /howto/showArticle.jhtml?articleId=15306130 (926 words)

	Nuclear Elephant: Chrooting daemons and system processes HOW-TO (Site not responding. Last check: 2007-11-02)
		The command/function chroot is short for 'change root', and is designed to change the filesystem root for the environment it is applied to.
		Chrooting can also be used to jail system daemons to help prevent them from being viable targets for hackers.
		Technically you can chroot anything you like including your mother's casserole, but in some cases chrooting is not always possible without "breaking" something, or in other circumstances, without an elaborate nonconventional configuration not worth the trouble.
	www.nuclearelephant.com /papers/chroot.html (4628 words)

	Chroot at opensource encyclopedia (Site not responding. Last check: 2007-11-02)
		The command chroot, like many unix commands, is extremely simple in its operation, but extremely versatile in its application.
		All chroot does is -for all child processes- replace the root directory on a unix system with one of the operators' choosing.
		For a trivial chroot, nothing in the new environment will work, since programmes no longer have access to any hardware or operating system libraries or services.
	wiki.tatet.com /Chroot.html (290 words)

	Using Chroot Securely - The Community's Center for Security
		Chroot shell command changes the root directory for a process, goes into this directory and then starts a shell or a user-specified command.
		Chrooting shell users is possible if there is a business need to keep them in some particular directory.
		First, the more software is deployed within chroot environment, the more dangerous it becomes, since it is hard to keep track of programs that can be used by the attacker to elevate permission and escape.
	www.linuxsecurity.com /content/view/117632/49 (1392 words)

	32-Bit Chroot How-To - Ubuntu Forums
		When you run synaptic32 from your main environment it will chroot execute it and all installations will be made to your 32 bit environment.
		If you want to be able to easily launch 32 bit chroot apps from your 64 bit environment symlink the app name to /usr/local/bin/do_dchroot.
		In my case, I also had to add my username to the right group to have permission to write to /dev/dsp; but that was because I was using my old Mandrake system as the chroot, and it used a different number for the audio group.
	www.ubuntuforums.org /showthread.php?s=527919a42c5acdf1b1f5eea4d17bac64&t=24575 (1093 words)

	To chroot or not to chroot
		Chroot is a Unix system call that re-maps the application's / (root) directory and further restricts the program to access only files in that directory and its children -- file access outside the chrooted environment is restricted.
		If a chrooted program has a file handle open before the chroot call is invoked, that file handle remains open across the chroot and could potentially become a gateway out of the sandbox.
		In conclusion, to chroot is typically better than not to chroot.
	searchsecurity.techtarget.com /tip/1,289483,sid14_gci845923,00.html (632 words)

	Commands Reference, Volume 1 - chroot Command
		The chroot command can be used only by a user operating with root user authority.
		Even if the chroot command is in effect, the Directory path name is relative to the current root of the running process.
		It is your responsibility to ensure that all vital data files are present in the new root file system and that the path names accessing such files are changed as necessary.
	publibn.boulder.ibm.com /doc_link/en_US/a_doc_lib/cmds/aixcmds1/chroot.htm (464 words)

	Haught.org :: Howtos :: Chroot Apache
		Chrooting makes a program believe that the root of the file system is higher up in the hierarchy.
		Chroots are not prefect and can be broken out of, so special care should be taken with what files are held within the chroot.
		I have also chrooted bind8/9, thttpd, dhcpd, and msession using the same technique.
	www.haught.org /freebsdapache.php (730 words)

	[No title] (Site not responding. Last check: 2007-11-02)
		Since we will be using a "chroot jail", all files that Unison needs to work with (including the executable itself, and the.unison directory) will be under this home directory.
		The first part, "/usr/sbin/chroot /home/unison" (double- check that chroot is in the same place on your system), creates the "chroot jail", making it appear that "/home/unison" is the root directory.
		If you want to set up without chroot, just remove the "/usr/sbin/chroot /home/unison" from the xinetd configuration file, and change all other paths to be absolute instead of with the implied relative /home/unison.
	www.cis.upenn.edu /~bcpierce/unison/download/resources/xinetd-chroot-howto.txt (1538 words)

	Linux.com \| Chrooting Apache
		The advantage in chrooting a process is not in preventing a breakin, but rather in containing a potential threat.
		Before deciding whether you need to chroot your Web server you should consider the advantages and disadvantages of such a setup.
		A chroot environment is more difficult to set up than a traditional install, especially if you run external software such as Perl, PHP, MySQL, or Python.
	docs.linux.com /4/04/05/24/1450203.shtml?tid=2 (1194 words)

	Slashdot \| Chroot Jails Made Easy
		The chroot jail approach is pretty cool, and gives a great layer of security for the system too.
		Chroot is ordinary chroot, the same as in linux.
		Chroot is a valid tool in the direction of more secure.
	developers.slashdot.org /developers/02/10/11/2054201.shtml?tid=172 (3400 words)

	Chroot-BIND8 HOWTO
		This document describes installing the BIND 8 nameserver to run in a chroot jail and as a non-root user, to provide added security and minimise the potential effects of a security compromise.
		When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail.
		The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND.
	www.cs.wisc.edu /niagara/data/lindoc/Chroot-BIND8-HOWTO.xml (2634 words)

	chroot (Site not responding. Last check: 2007-11-02)
		'chroot' runs a command with a specified root directory.
		SYNTAX chroot [-u -user] [-g -group] [-G -group,group,...] newroot [command] [ARGS] Options -u Set the USER to user after the chroot has taken place.
		The chroot command changes its root directory to the supplied directory newroot and exec's command, if supplied, or an interactive copy of your shell.
	www.ss64.com /osx/chroot.html (147 words)

	mod_chroot (Site not responding. Last check: 2007-11-02)
		If you configure your chroot jail properly, Apache and its child processes (think CGI scripts) won't be able to access anything except the jail.
		A non-root process is not able to leave a chroot jail.
		The chroot() system call is performed at the end of startup procedure - when all libraries are loaded and log files open.
	core.segfault.pl /~hobbit/mod_chroot (457 words)

	Daemon News '200110' : '"Running BIND9 in a chroot cage using NetBSD's new startup system "'
		When running the "named" daemon in a chroot cage, there are a few system files needed to run it, and they need to be present in the chroot directory.
		We also need to tell the system to start our "named" in a chroot dir, and to give the "named" daemon a command to change to the "named" user privileges after initial startup.
		While trying to set the chroot cage for "named", I ran into a small problem with how to determine under which user the daemon should run.
	ezine.daemonnews.org /200110/named-chroot.html (1514 words)

	Gentoo Forums :: View topic - Firewall & Chroot Jail
		Though if something runs as root, chrooting it would stop someone for all of half a second (its easy for root to break out of chroot).
		chroot has many uses but it is not intended as a security tool.
		"chroot jail" is one of those silly terms that people latch on to because they think it makes them sound smart.
	forums.gentoo.org /viewtopic.php?t=384952 (504 words)

	[No title] (Site not responding. Last check: 2007-11-02)
		The basic trick is to chroot again, while holding open a file descriptor that points to a directory outside the new chroot; then, fchdir() to the open file descriptor, repeatedly chdir("..") until you hit the real "/", and chroot(".").
		A chrooted process should be allowed to connect to any socket it can see within its chroot (i.e., a process chrooted to /chroot should be able to connect to a socket named /chroot/tmp/socket that is opened by a process running with / as its root directory).
		Ideally if a process within a chroot adds a swap space to the system it should only be visible within that chroot, but that's asking way too much of the VM layer.
	packetstormsecurity.nl /mag/napalm/napalm-12.txt (9707 words)

	chroot login HOWTO
		This document describes one way to set up a chroot jail on your target system suitable for running gcc and glibc remote regression tests (or many other purposes).
		Specific users can be configured such that the moment they log in, a wrapper program (see chrootshell.c) jails the user in his home directory using the chroot system call, looks up his record in the jail's private /etc/passwd file, and uses it to set his current directory and transfer control to his preferred shell.
		Once a jail has been set up for the user you plan to run the remote tests as, and it has passed all the above tests, you should be able to blow away the old jail's contents, and recreate the jail remotely filled with the system shared libraries you plan to test.
	www.kegel.com /crosstool/current/doc/chroot-login-howto.html (1905 words)

	Best Practices for UNIX chroot() Operations
		This document touches on how chroot works and discusses some best practices that developers and administrators can use to make their installations more secure.
		A chroot jail is not impervious to escape, but it not easy and requires root permission in the jail itself, so we must take steps to limit this possibility.
		A daemon that has its own internal chroot can often park the executable located outside the jail: this is a big win because an intruder is not able to ever infect the binary directly.
	www.unixwiz.net /techtips/chroot-practices.html (1898 words)

	Chroot-BIND HOWTO
		When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail.
		Because the chroot process is much simpler with BIND 9, I have started to expand this document slightly, to include more general tips about securing a BIND installation.
		daemon, all the paths are of course relative to the chroot jail.
	www.faqs.org /docs/Linux-HOWTO/Chroot-BIND-HOWTO.html (2803 words)

	Securing Apache: Step-by-Step
		Generally, the chrooting technique means creating a new root directory structure, moving all daemon files to it, and running the proper daemon in that new environment.
		A chrooted environment has also one more important advantage - immunity to the large number of exploits, mainly because of lack of the shell (/bin/sh, /bin/csh etc.).
		Even if an intruder will success in executing system commands, escaping the chrooted environment could turn out to be quite a problem.
	www.securityfocus.com /infocus/1694 (2220 words)

	How to create a Slackware environment using chroot (Site not responding. Last check: 2007-11-02)
		A a fairly minimal Slackware Linux environment in a chroot install such as this could have a few purposes.
		The chroot environment is in many ways like an entire, distinct machine of it's own.
		This chroot command puts you in as the root user within the chroot environment.
	hacktavista.com /howto/chroot_slackware.html (1798 words)

Try your search on: Qwika (all wikis)