[Linux 文章收集] Linux / Unix: chroot Command Examples

Source From Here 
Preface 
I am a new Linux and Unix user. How do I change the root directory of a command? How do I change the root directory of a process such as web-server using a chroot command to isolate file system? How do I use a chroot to recover password or fix the damaged Linux/Unix based environment? 

Each process/command on Linux and Unix-like system has current working directory called root directory of a process/command. You can change the root directory of a command using chroot command, which ends up changing the root directory for both current running process and its children. 

A process/command that is run in such a modified environment cannot access files outside the root directory. This modified environment is commonly known as "jailed directory" or "chroot jail". Only a privileged process and root user can use chroot command. This is useful to: 

1. Privilege separation for unprivileged process such as Web-server or DNS server.
2. Setting up a test environment.
3. Run old programs or ABI in-compatibility programs without crashing application or system.
4. System recovery.
5. Reinstall the bootloader such as Grub or Lilo.
6. Password recovery - Reset a forgotten password and more.

Purpose 
The chroot command changes its current and root directories to the provided directory and then run command, if supplied, or an interactive copy of the user's login shell. Please note that not every application can be chrooted. 

Syntax 
The basic syntax is as follows: 

# chroot /path/to/new/root command
OR
# chroot /path/to/new/root /path/to/server
OR
# chroot [options] /path/to/new/root /path/to/server

Chroot command examples 
In this example, build a mini-jail for testing purpose with bash and ls command only. First, set jail location using mkdir command: 

$ J=$HOME/jail

Create directories inside $J: 

$ mkdir -p $J
$ mkdir -p $J/{bin,lib64,lib}
$ cd $J

Copy /bin/bash and /bin/ls into $J/bin/ location using cp command: 

$ cp -v /bin/{bash,ls} $J/bin

Copy required libs in $J. Use ldd command to print shared library dependencies for bash: 

$ ldd /bin/bash
linux-vdso.so.1 => (0x00007fff8d987000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000032f7a00000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000032f6e00000)
libc.so.6 => /lib64/libc.so.6 (0x00000032f7200000)
/lib64/ld-linux-x86-64.so.2 (0x00000032f6a00000)

Copy libs in $J correctly from the above output: 

$ cp -v /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 $J/lib64/

Copy required libs in $J for ls command. Use ldd command to print shared library dependencies for ls command: 

$ ldd /bin/ls
linux-vdso.so.1 => (0x00007fff68dff000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00000032f8a00000)
librt.so.1 => /lib64/librt.so.1 (0x00000032f7a00000)
libcap.so.2 => /lib64/libcap.so.2 (0x00000032fda00000)
libacl.so.1 => /lib64/libacl.so.1 (0x00000032fbe00000)
libc.so.6 => /lib64/libc.so.6 (0x00000032f7200000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000032f6e00000)
/lib64/ld-linux-x86-64.so.2 (0x00000032f6a00000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00000032f7600000)
libattr.so.1 => /lib64/libattr.so.1 (0x00000032f9600000)

You can copy libs one-by-one or try bash shell for loop as follows: 

view plaincopy to clipboardprint?

1. list="$(ldd /bin/ls | egrep -o '/lib.*\.[0-9]')"  
2. for i in $list; do cp  -v "$i" "${J}${i}"; done  

Finally, chroot into your new jail: 

$ sudo chroot $J /bin/bash

Try browsing /etc or /var: 

# ls /
# ls /etc/
# ls /var/

A chrooted bash and ls application is locked into a particular directory called $HOME/$J and unable to wander around the rest of the directory tree, and sees that directory as its "/" (root) directory. This is a tremendous boost to security if configured properly. I usually lock down the following applications using the same techniques: 

1. Apache - Red Hat / CentOS: Chroot Apache 2 Web Server
2. Nginx - Linux nginx: Chroot (Jail) Setup
3. Chroot Lighttpd web server on a Linux based system
4. Chroot mail server.
5. Chroot Bind DNS server and more.

How do I exit from chrooted jail? Using command exit. 

Finally, chroot into your new jail: 

$ sudo chroot $J /bin/bash

See all other chroot command related examples on nixCraft: 

1. Ubuntu: Mount Encrypted Home Directory (~/.private) From an Ubuntu Live CD
2. Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
3. Fix a dual boot MS-Windows XP/Vista/7/Server and Linux problem
4. Restore Debian Linux Grub boot loader

A note about chrooting apps on a Linux or Unix-like systems 
Should you use the chroot feature all the time? In the above example, the program is fairly simple but you may end up with several different kinds of problems such as: 

1. Missing libs in jail can result into broken jail.
2. Complex program are difficult to chroot. I suggest you either try real jail such as provided by FreeBSD or use virtualization soultuon such as KVM on Linux.
3. App running in jail can not run any other programs, can not alter any files, and can not assume another user's identity. Loosen these restrictions, you have lessened your security, chroot or no chroot.

Supplement 
* 鳥哥 - Linux 帳號管理與 ACL 權限設定 
* chroot(8) Linux/Unix command man page 
* Man pages - chroot(2) 
* OpenBSD documentation - See Apache chrooting faq for more information.