Header image

Chroot Is Your Friend

Unix provides the chroot() system call, which allows you to limit a program to a particular subdirectory on the filesystem. Once this call is made, the program can never change directories above that point. This is a lovely way to limit a program's access to the system. Even if a cracker breaks in, they cannot run willy-nilly about the system; all they can affect are the files in the chroot jail.

Note that you usually can't just perform the chroot() and be done. If the program depends on shared libraries, or particular device files, then those must be present inside the jail or the daemon will fail. Some servers are designed to be easily chrooted, others will need more work.

Note, further, that this isn't a perfectly secure jail - a root user who's willing to dig into the filesystem directly can 'escape' out the rest of the directories. There's a way around this, but it's not for the faint of heart - it involves controlled damage to the filesystem...

[Prev]   [Up]   [Next]