The jail mechanism is an implementation of operating system-level virtualization that allows administrators to partition a computer system into several independent mini-systems called jails.
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The modified environment is called a chroot jail.
A chroot environment can be used to create and host a separate virtualized copy of the software system. This can be useful for Testing and development, Dependency control, Compatibility, Recovery, Privilege separation
The actual jail development consisted of five parts:
1. Making sure you don’t escape the chroot/jail
2. Restricting process visibility
3. Deciding what “root” can and cannot do in a jail
4. Teach certain device drivers about jails
5. Giving each jail it’s own IP number.
Steps to create a chroot jail for another flavor of linux
Step 1. Have a Linux hosted machine.
Step 2. Copy Any other flavor of linex(e.g. Ubuntu)
[root@localhost ~]# cd /home/ajay/ws/chroot/ubuntu/rootfs/
a.txt boot/ etc/ lib/ media/ opt/ root/ selinux/ sys/ tmp/ var/
bin/ dev/ home/ lib64/ mnt/ proc/ sbin/ srv/ test.test usr/
Step 3. Use chroot command. It will chnage the promt details as shown below with "/".
[root@localhost chroot]# chroot /home/ajay/ws/chroot/ubuntu/rootfs/
groups: cannot find name for group ID 490
root@localhost:/#
Step 4. Mount the devices.
if i run the command without mounting
root@localhost:/# ps -ef | grep vim
Cannot find /proc/version - is /proc mounted?
So mount
root@localhost:/# mount -t proc proc /proc/
root@localhost:/# mount -t sysfs sys /sys/
root@localhost:/# mount -o bind /dev /dev/
Now chroot environment to use ubuntu libs. Enjoy
Exit from chroot jail
root@localhost:/# umount /proc
root@localhost:/# umount /sys
root@localhost:/# umount /dev
root@localhost:/# exit
Exit from chroot jail
root@localhost:/# umount /proc
root@localhost:/# umount /sys
root@localhost:/# umount /dev
root@localhost:/# exit
Caution: It should only be used for processes that don't run as root, as root users can break out of the jail very easily. Your all files have complete access from main root. So all your files are visual and modifiable from outside.
Important terms should be known to improvise the solution
Operating-system-level virtualization is a server virtualization method in which the kernel of an operating system allows the existence of multiple isolated user-space instances, instead of just one. Such instances, which are sometimes called containers, software containers,[1] virtualization engines (VEs) or jails (FreeBSD jail or chroot jail), may look and feel like a real server from the point of view of its owners and users.
On Unix-like operating systems, this technology can be seen as an advanced implementation of the standard chroot mechanism. In addition to isolation mechanisms, the kernel often provides resource-management features to limit the impact of one container's activities on other containers.
Operating-system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with Linux, different distributions are fine, but other operating systems such as Windows cannot be hosted.
The storage hypervisor, a centrally-managed supervisory software program, provides a comprehensive set of storage control and monitoring functions that operate as a transparent virtual layer across consolidated disk pools to improve their availability, speed and utilization.
One more example:
[root@localhost chroot]# mkdir linx
[root@localhost chroot]# cd linx
[root@localhost linx]# mkdir bin lib dev tmp
[root@localhost linx]# chmod a=rwx tmp [making accessible to every user and process]
[root@localhost linx]# ls -lrt
total 16
drwxrwxrwx 2 root root 4096 Jun 16 16:49 tmp
drwxr-xr-x 2 root root 4096 Jun 16 16:49 lib
drwxr-xr-x 2 root root 4096 Jun 16 16:49 dev
drwxr-xr-x 2 root root 4096 Jun 16 16:52 bin
Will restrict this jail to limited rights.
[root@localhost linx]# cp /bin/bash /bin/ls bin
[root@localhost linx]# ldd bin/*
bin/bash:
linux-vdso.so.1 => (0x00007fff0f9c8000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003b28a00000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003b1b200000)
libc.so.6 => /lib64/libc.so.6 (0x0000003b1ae00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003b1a600000)
bin/ls:
linux-vdso.so.1 => (0x00007fffe7ee3000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003b1c600000)
librt.so.1 => /lib64/librt.so.1 (0x0000003b1be00000)
libcap.so.2 => /lib64/libcap.so.2 (0x0000003b1de00000)
libacl.so.1 => /lib64/libacl.so.1 (0x0000003b2a200000)
libc.so.6 => /lib64/libc.so.6 (0x0000003b1ae00000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003b1b200000)
/lib64/ld-linux-x86-64.so.2 (0x0000003b1a600000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003b1b600000)
libattr.so.1 => /lib64/libattr.so.1 (0x0000003b29600000)
[root@localhost linx]# cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 /lib64/libselinux.so.1 /lib64/librt.so.1 /lib64/libcap.so.2 /lib64/libacl.so.1 /lib64/libpthread.so.0 /lib64/libattr.so.1 lib/
Populating the jail with two basic devices
[root@localhost linx]# ls -l /dev/null /dev/zero
crw-rw-rw- 1 root root 1, 3 Jun 10 15:01 /dev/null
crw-rw-rw- 1 root root 1, 5 Jun 10 15:01 /dev/zero
[root@localhost linx]# mknod dev/null c 1 3
[root@localhost linx]# mknod dev/zero c 1 5
[root@localhost linx]# ls -lrt dev/*
crw-r--r-- 1 root root 1, 3 Jun 16 17:01 dev/null
crw-r--r-- 1 root root 1, 5 Jun 16 17:01 dev/zero
[root@localhost linx]# chmod a=rw dev/null dev/zero
[root@localhost linx]# ls -lrt dev/*
crw-rw-rw- 1 root root 1, 3 Jun 16 17:01 dev/null
crw-rw-rw- 1 root root 1, 5 Jun 16 17:01 dev/zero
[root@localhost linx]# chroot /home/ajay/ws/chroot/linx
chroot: failed to run command `/bin/bash': No such file or directory
Error occurred so check the ldd command output you can see that all libs are in lib64 folder. so moving all libs from lib folder to lib64.
[root@localhost linx]# mv lib lib64
[root@localhost linx]# chroot /home/ajay/ws/chroot/linx
bash-4.1# pwd
/
bash-4.1#
Welcome to chroot jail. Now create customize applications over it.
One more example:
[root@localhost chroot]# mkdir linx
[root@localhost chroot]# cd linx
[root@localhost linx]# mkdir bin lib dev tmp
[root@localhost linx]# chmod a=rwx tmp [making accessible to every user and process]
[root@localhost linx]# ls -lrt
total 16
drwxrwxrwx 2 root root 4096 Jun 16 16:49 tmp
drwxr-xr-x 2 root root 4096 Jun 16 16:49 lib
drwxr-xr-x 2 root root 4096 Jun 16 16:49 dev
drwxr-xr-x 2 root root 4096 Jun 16 16:52 bin
Will restrict this jail to limited rights.
[root@localhost linx]# cp /bin/bash /bin/ls bin
[root@localhost linx]# ldd bin/*
bin/bash:
linux-vdso.so.1 => (0x00007fff0f9c8000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003b28a00000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003b1b200000)
libc.so.6 => /lib64/libc.so.6 (0x0000003b1ae00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003b1a600000)
bin/ls:
linux-vdso.so.1 => (0x00007fffe7ee3000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003b1c600000)
librt.so.1 => /lib64/librt.so.1 (0x0000003b1be00000)
libcap.so.2 => /lib64/libcap.so.2 (0x0000003b1de00000)
libacl.so.1 => /lib64/libacl.so.1 (0x0000003b2a200000)
libc.so.6 => /lib64/libc.so.6 (0x0000003b1ae00000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003b1b200000)
/lib64/ld-linux-x86-64.so.2 (0x0000003b1a600000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003b1b600000)
libattr.so.1 => /lib64/libattr.so.1 (0x0000003b29600000)
[root@localhost linx]# cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 /lib64/libselinux.so.1 /lib64/librt.so.1 /lib64/libcap.so.2 /lib64/libacl.so.1 /lib64/libpthread.so.0 /lib64/libattr.so.1 lib/
Populating the jail with two basic devices
[root@localhost linx]# ls -l /dev/null /dev/zero
crw-rw-rw- 1 root root 1, 3 Jun 10 15:01 /dev/null
crw-rw-rw- 1 root root 1, 5 Jun 10 15:01 /dev/zero
[root@localhost linx]# mknod dev/null c 1 3
[root@localhost linx]# mknod dev/zero c 1 5
[root@localhost linx]# ls -lrt dev/*
crw-r--r-- 1 root root 1, 3 Jun 16 17:01 dev/null
crw-r--r-- 1 root root 1, 5 Jun 16 17:01 dev/zero
[root@localhost linx]# chmod a=rw dev/null dev/zero
[root@localhost linx]# ls -lrt dev/*
crw-rw-rw- 1 root root 1, 3 Jun 16 17:01 dev/null
crw-rw-rw- 1 root root 1, 5 Jun 16 17:01 dev/zero
[root@localhost linx]# chroot /home/ajay/ws/chroot/linx
chroot: failed to run command `/bin/bash': No such file or directory
Error occurred so check the ldd command output you can see that all libs are in lib64 folder. so moving all libs from lib folder to lib64.
[root@localhost linx]# mv lib lib64
[root@localhost linx]# chroot /home/ajay/ws/chroot/linx
bash-4.1# pwd
/
bash-4.1#
Welcome to chroot jail. Now create customize applications over it.
No comments:
Post a Comment