Chroot jail
|
A chroot jail is a sandbox environment on a UNIX system, created using the chroot command.
Creating sandboxes for software to run in is an old idea. There are many malicious crackers and worms on the modern day Internet. If a malicious program or intruder is able to gain access to a system and attain root (superuser) privileges, total control over the system is achieved.
To gain access to a system, an intruder will attempt to exploit weaknesses in one or several of the programs running on a computer system. An intruder will generally be able to gain the same privileges as the program they successfully exploited.
To prevent or slow attackers, or to defend against more typical bugs, administrators may elect to set up a minimal but separate version of their operating system in a separate directory or partition. Programs can then be started in the chroot environment, and any compromise, misrun or crash of those programs will be restricted in impact to that environment.
Sometimes a chroot jail is not set up perfectly, usually for reasons of convenience, or by mistake. There is quite some cracker literature devoted to means of breaking out of chroot jails along those lines of weakness.
References
- Howto (http://www.faqs.org/docs/securing/chap29sec254.html) run Apache (an http server for use on the World Wide Web) in a chroot jail
- Howto (http://www.stahl.bau.tu-bs.de/~hildeb/bind/) run BIND (a DNS name server) in a chroot jail
- Jailkit (http://olivier.sessink.nl/jailkit/) an large set of utilities to build, secure and run your jailed users/daemons/etc.