The ‘chroot’ is a command which is used in Linux/Unix systems which stands for “Change root”. This command actually changes the apparent root directory of a process and its child processes. By changing the root directory, we can change the visibility of the system for the running process.
The ‘chroot’ command is mostly used while a system is having boot issues as it is capable of changing to the root file system and perform repairs without booting into the actual system. It was actually introduced during development of Version 7 Unix in 1979.
In this article, we will go through a sample demo of how we can use chroot and the scope of visibility of filesystem in it.
1. First, i’m going to create a home directory for a user named test-user with bin and lib64 directories in it.
[root@my-test-lab-1 ~]# mkdir -p /home/test-user/{bin,lib64}
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]#2. Next, I’m creating a new group named test-group and create user named test-user
[root@my-test-lab-1 ~]# groupadd test-group
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]# useradd -g test-group test-user
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@my-test-lab-1 ~]# ls -ad /home/test-user/
/home/test-user/
[root@my-test-lab-1 ~]# ls -al /home/test-user/
total 0
drwxr-xr-x. 4 root root 30 May 31 16:26 .
drwxr-xr-x. 5 root root 55 May 31 16:26 ..
drwxr-xr-x. 2 root root 6 May 31 16:26 bin
drwxr-xr-x. 2 root root 6 May 31 16:26 lib64
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]# id test-user
uid=1002(test-user) gid=1002(test-group) groups=1002(test-group)
[root@my-test-lab-1 ~]# 3. Then i’m going to copy the ls command and bash binary to /home/test-user/bin and its libraries to lib64 directory. Library dependencies for the binaries can be found using ldd command. Also, I’m creating a sample text file named magic.txt inside the home directory for the user test-user.
[root@my-test-lab-1 ~]# ldd /bin/bash
linux-vdso.so.1 (0x00007ffcadffa000)
libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007f0ac0e39000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f0ac0c35000)
libc.so.6 => /lib64/libc.so.6 (0x00007f0ac0870000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0ac1384000)
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]# ldd /bin/ls
linux-vdso.so.1 (0x00007ffd7ddac000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f09c3433000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007f09c322d000)
libc.so.6 => /lib64/libc.so.6 (0x00007f09c2e68000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f09c2be4000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f09c29e0000)
/lib64/ld-linux-x86-64.so.2 (0x00007f09c3880000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f09c27c0000)
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]# cp -v /lib64/libtinfo.so.6 /lib64/libselinux.so.1 /lib64/libcap.so.2 /lib64/libc.so.6 /lib64/libpcre2-8.so.0 /lib64/libdl.so.2 /lib64/ld-linux-x86-64.so.2 /lib64/libpthread.so.0 /home/test-user/lib64/
'/lib64/libtinfo.so.6' -> '/home/test-user/lib64/libtinfo.so.6'
'/lib64/libdl.so.2' -> '/home/test-user/lib64/libdl.so.2'
'/lib64/libc.so.6' -> '/home/test-user/lib64/libc.so.6'
'/lib64/ld-linux-x86-64.so.2' -> '/home/test-user/lib64/ld-linux-x86-64.so.2'
'/lib64/libselinux.so.1' -> '/home/test-user/lib64/libselinux.so.1'
'/lib64/libcap.so.2' -> '/home/test-user/lib64/libcap.so.2'
cp: warning: source file '/lib64/libc.so.6' specified more than once
'/lib64/libpcre2-8.so.0' -> '/home/test-user/lib64/libpcre2-8.so.0'
'/lib64/libpthread.so.0' -> '/home/test-user/lib64/libpthread.so.0'
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 ~]# cp /usr/bin/ls /home/test-user/bin/
[root@my-test-lab-1 ~]# cp /usr/bin/bash /home/test-user/bin/
[root@my-test-lab-1 ~]#
[root@my-test-lab-1 test-user]# echo "This is the magic of chroot command" > magic.txt
[root@my-test-lab-1 test-user]#
[root@my-test-lab-1 test-user]# ls -al
total 4
drwxr-xr-x. 4 root root 47 May 31 16:47 .
drwxr-xr-x. 5 root root 55 May 31 16:26 ..
drwxr-xr-x. 2 root root 28 May 31 16:43 bin
drwxr-xr-x. 2 root root 178 May 31 16:42 lib64
-rw-r--r--. 1 root root 36 May 31 16:47 magic.txt
[root@my-test-lab-1 test-user]# 4. Now we are all set to start getting into the chrooted environment. Pressing CTRL+D will get you exited from the shell.
[root@my-test-lab-1 test-user]# chroot /home/test-user/ /bin/bash
bash-4.4# ls
bin lib64 magic.txt
bash-4.4# pwd
/
bash-4.4# cd .. ; pwd
/
bash-4.4# 5. We can add the below mentioned match condition for the group which we created in /etc/ssh/sshd_config, so that the users who are part of the group will be login to the chrooted environment on the host.
Match group test-group
ChrootDirectory /home/test-user
X11Forwarding no
AllowTcpForwarding noHere is the result when I tried login to the same machine as test-user. We directly landed on the chrooted environment which was created before.
jobinpeter@initbias ~ % ssh test-user@**.**.**.***
(test-user@54.219.86.168) Password:
Last login: Wed May 31 16:58:49 2023 from ***.**.**.***
-bash-4.4$ pwd
/
-bash-4.4$Before winding up this article, I would like to point a few important things about chroot.
- chroot command requires root privilege.
- It doesn’t modify the actual root directory of the system. It only affects the current process and its children.
- chroot can be used to create a minimal environment inside the new root directory, but we need to ensure that all necessary binaries,files, libraries along with its dependencies are present in the new root structure in order to avoid errors while executing commands.
If you want to refer the Man Page for chroot command, then this the link.
We will see with other topics soon.
Adios Amigo !!!
Add Comment