Linux chroot Command Tutorial

Linux chroot Command Tutorial

by

Linux processes access the whole root directory by default. But in some cases, some processes may be required to restrict access to only specified directories or paths. The chroot command is used to change the specified process root directory into a different and fake one. For example, if we want to restrict the bash the process to only access to the /home/ismail/bash root directory and can not access other directories the chroot command can be used.

chroot Command Syntax

The chroot command has the following syntax where the chrooted command or binary is provided as the last parameter.

chroot OPTIONS JAIL_PATH COMMAND
  • OPTIONS is the chroot command options to provide user and group information.
  • JAIL_PATH is the path which is jailed for the specified COMMAND.
  • COMMAND is jailed to the specified JAIL_PATH.

Create Jail Path

The first step is creating a jail path or jail root directory. In the following example, we create the jail path as to /home/ismail/jail where the process can only access inside this directory.

$ mkdir /home/ismail/jail

Create Jail Directories

Generally, the jail path contains multiple directories in order to store files, libraries, binaries etc. We should create these directories.

$ mkdir /home/ismail/jail/{bin,lib}

Copy Files and Binaries to Jail Directories

In this step, we copy the binaries or files which run in the jailed environments into the jail directories. In the following example we copy the bash and ls binaries.

$ cp /bin/{bash,ls} /home/ismail/jail/bin

List Shared Directories for Process/Binary

Binaries or processes generally require some shared libraries which should be also provided inside the jail directories. The ldd command can be used to list required libraries for a specific binary or library.

$ ldd /bin/bash

Copy Required Binaries

In this step, we copy all required libraries into the jailed lib directory.

$ cp /lib/x86-64-linux-gnu/libinfo.so.6 /home/ismail/jail/lib/
...

Chroot Process/Binary Into Jail

The last step is jailing a specific command or binary with the chroot command. We provide the jail path and the command or binary we want to chroot or jail. In the following example, we jail the bash binary by providing its complete path.

$ sudo chroot /home/ismail/jail /bin/bash

Leave a Comment