Linux – When is it appropriate / prudent to use chroot

chrootlinuxSecurity

I hear about needing to chroot BIND all the time. Fair enough. But what about other programs? What are the "rules" (either personal or widely accepted/established) for deciding which programs should be jailed?

-M

Best Answer

In general, you might want to use chroot for several reasons:

need for another distribution/architecture/distribution version without wanting to use OpenVZ or a virtual machine. For example, I use chroots to have both i386 and amd64 compilation environments on an amd64 machine.
restricting access to the system to users. For example, you can use chroot together with scponly to restrict the commands users have access to. This is a very limited jailing system since they still have access to the network for example.
restricting access to the system to programs. In general, you might want to do that for daemons mostly, such as bind or apache. This way, these programs will not have direct access to the system, so if an attacker could use a security breach of the program, it would not directly access the system, but instead would find himself inside the chroot. It helps enhancing the security, but it is not a guarantee that your system is secure.

Related Solutions

Ubuntu – Running BIND9 In chroot

EDIT: oops, AppArmor, not SELinux...

Look at /etc/apparmor.d/usr.sbin.named

There's a section that looks like this:

/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** rw,
/var/cache/bind/ rw,

I suggest adding this afterwards (or possibly replacing it with this):

/var/lib/named/etc/bind/** r,
/var/lib/named/var/lib/bind/** rw,
/var/lib/named/var/lib/bind/ rw,
/var/lib/named/var/cache/bind/** rw,
/var/lib/named/var/cache/bind/ rw,

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Ubuntu – Running BIND9 In chroot

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic