Sometimes, you may need to isolate a process from other processes running on your system. We can do this with the use of the chroot command in Linux.
In this tutorial, we will show you what the chroot command is and how you can use the command to create a chroot jail and trap a user or a group in an isolated environment.
Understanding the chroot Command in Linux
The chroot command is essential in Linux systems. It helps you change the root directory for a process along with its child processes. When we create a fake root directory for a user or group, it loses access to the true root directory.
Hence, the user or group is now isolated from the rest of our system. This can have many uses, such as the following:
- Create a test environment for software development and testing.
- Initialize reinstallation of the bootloader files on your system
- Run software which may be decrepitated
- Enhance security using a ringfencing mechanism
The chroot command essentially creates a virtual environment. Its function is similar to a virtual machine, but it doesn’t require you to devote dedicated resources for the chroot jail.
The virtual environment shares all the kernel with the host system.
Syntax of the chroot Command
The chroot command in Linux has the following syntax.
The only parameter necessary to run a chroot command is the path for the new root directory. However, you can use the options available in the chroot command to achieve your desired results.
Here are the options at your disposal when you use the chroot command in Linux.
- –userspec=USER[:GROUP] – Used to define the user or the group which we wish to use the chroot command on. We can specify the group or user we wish to use by name or ID
- –groups=G_List – Used to specify supplementary groups we wish to use as G1, G2… Gn
- — help – Shows you a help screen and exits
- –version – Displays the version data and exits
Creating a chroot command jail
Now that we understand the chroot command and its syntax, it is time to use it. To show you how it’s done, we will create a chroot jail.
A chroot jail is a virtual environment created by changing the root directory of a user or group to a new directory. This new directory serves as the fake root directory for our chroot jail.
Let’s go over the steps that you need to do to use the chroot command in Linux to create a chroot jail.
1. Create a Directory
First, we will begin by creating a fake root directory at /home/chroot_jail using the mkdir command.
This will create a directory at the given address which we will use for our chroot jail. However, before we let chroot command do its job, we need to add the required files to our new directory.
2. Add Required Root Directories
We will start by creating the /bin, /lib and /lib64 in our jail directory. The command to create these directories is given below.
As you can notice, the directories we are creating within our virtual environment are specified in braces (‘<>’).
Now, we will use the cd command to make chroot_jail our new root directory.
3. Move the Allowed Command Binary Files
We are making a minimalistic Linux environment for this example. Let’s use the bash, ls, rm and touch commands to be a part of our virtual environment’s functionality.
Copy the binaries from our root /bin directory to our chroot_jail’s /bin directory. We do so using the cp command with the -v (verbose) tag so we can see what is being copied at the given moment.
As you can see, the binaries which we wish to copy are mentioned in braces. The files from the given binaries have now been copied to our new chroot jail directory.
4. Resolving Command Dependencies
But these binaries will have dependencies. The dependencies for bash can be found using the ldd command.
Now we will use the cp command to carefully copy the directories to our chroot jail one by one. We should make sure to copy all the dependency libraries, else our chroot jail will not work properly. Replace the
part with the directories separated by commas.
We will repeat these steps for all the commands that we want to allow within the chroot jail. Find the dependency libraries and copy them to the chroot_jail directory.
5. Switching to the New Root Directory
Now, all that we have left to do is to change the root directory of our chroot jail to the new fake directory we just created.
To change the directory and specify bash to run as the application which we run as the shell for our virtualized environment, we use the following command.
You may be prompted to enter your user password to continue. In that case, enter your user password and the command will be executed.
If you have followed all the steps correctly, you should expect to see an output similar to the following on your screen.
As you can see in the screenshot, the bash version 4.4 is now running as the shell for our chroot jail.
Now, our minimalistic virtual Linux environment has been created and it is ready to use. We can interact with the virtual environment using bash like a regular Linux system.
The chroot command in Linux is a simple yet effective command in a Linux user’s toolset. Its ability to create a virtualized environment, without the need for any monitoring software as we see with virtual machines, makes it a light alternative for this use.
This tutorial aimed to help you understand what chroot is and then show you how to build a simple chroot jail. If you have any queries, feedback or suggestions, feel free to reach out to us in the comments below.