chroot jail

Discussion in 'all things UNIX' started by tsec, Aug 4, 2009.

Thread Status:
Not open for further replies.
  1. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181
    (From the chroot entry @ wikipedia).

    Is chroot then the Linux equivalent of a sandbox?
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    In a nutshell, yes. It's a great thing. To such extent that some services won't run if not chrooted. For example, bind9 on centos requires chrooted environment to run.

    Critical to properly deploying minimal escalation risk environment for critical services.

    Mrk
     
  3. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181
    Thanks Mrk.

    So is it possible to use chroot in the same way that SandboxIE is used in Windows? That is to run, for instance a browser in it and then at closing the browsing session, to have the option of saving any files etc?

    Cheers.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    First, your user session is already a sort of a sandbox. You can't save files anywhere when you run Firefox on Linux, only your home dir and maybe a few select locations, so there you go.
    Mrk
     
  5. Yeah but that doesn't protect your personal data, which is probably also stored in the home dir, from e.g. a file infector. ;)

    Fortunately, most major distros use Mandatory Access Control systems such as SELinux and AppArmor. These are more like SBIE in functionality - programs launched by a user won't necessarily have that user's full rights.

    For the full list of MAC systems...

    - SMACK (Simplified MAC Kernel): I don't think anything uses this. Its main advantage over the others is its simplicity, which means that, although it may be less secure in theory, it's also less likely to be misconfigured or to contain really stupid bugs.

    - SELinux: in the mainline kernel, used by default on Fedora, Redhat, and distros derived from those, and optional (if a bit buggy) on Debian. Capable of ridiculous security levels but complicated to configure.

    - AppArmor: used in OpenSuSE (you have to turn it on) and Ubuntu (on by default IIRC). Oh yeah, and PCLinuxOS (but I wouldn't bother with PCLOS because it's buggy and sucks).

    - Tomoyo: used by Mandriva. Not sure what its advantages are.

    - RSBAC: used to be used by Mandriva, not sure if anyone uses it now.

    - grSecurity: used by CAOS, NetSecL, and maybe a few others. Largely useless on desktops, as many applications will simply not run under it. Very secure though. :p

    There's also PaX, a set of kernel patches designed to block buffer overflows and similar vulnerabilites. I think Gentoo's hardened kernel uses that, and most "secure" distros (e.g. Annvix). Again, some applications will refuse to run with a PaX kernel.
     
  6. demonon

    demonon Guest

Thread Status:
Not open for further replies.