chroot
Lecture
Example: Filesystem Isolation
chroot() changes the root directory for a process and its children processes. In other word, it changes the meaning of /.
For example, chroot("/tmp/jail") sets the root directory to be /tmp/jail. To get access the other directories, we must escape from this sandbox.
For this chapter, we will use busybox for sandboxing purposes. Busybox packs many shell utilizes into a tiny executable file. Sometimes it is the entire user sapce on embedded devices.
Effects of chroot
chroot("/tmp/jail") has two effects on the current process:
Change the meaning of
/to/tmp/jail.Change the meaning of
/tmp/jail/..to/tmp/jail.
In other word, it really makes /tmp/jail a jail that prevents the process from going out.
However, chroot("/tmp/jail") does NOT:
Close resources that reside outside of the jail.
chdir("/")into the jail.Do anything else!
Pitfall 1: Previously Open Resources
Neither of the effects of chroot() do anything to previously-open resources. How is this useful?
Similar to open() and execve(), Linux has openat() and execveat():
int dirfd can be a file descriptor representing any open()ed directory, or the special value AT_FDCWD (note: chroot() does not change the current working directory)!
Pitfall 2: Forgetfulness
The Linux kernel does not keep track of previous chroots for a process. That is, we are able to use chroot again inside a jail. We are going to see how to use this idea to escape from the sandbox in babyjail.
Is chroot Safe?
No. chroot is a historical way of sandboxing. It is not a good choice for modern production environment. However, it is still being used in some scenarios, so it is worthy to learn it.
Generally, a user with an effective ID of 0 (i.e., a process run as root or SUIDed to root) can always break out of a chroot, unless the chroot syscall is blocked!
A replacement for chroot is seccomp and we will be covering it in the next section.
Last updated