I created /opt/chroot, create bin lib and other directories in it, copied libraries, bash and perl binaries in proper places. Also I placed my script into /opt/chroot/bin/.
Now I can run the script such a way:
# chroot /opt/chroot script.pl
There are two things that I am concerned about:
- Script gains root rights.
- There is a perl interpreter inside the chrooted environment.
How can I avoid these security holes?
Best Answer
Chroot's on linux are not for security, if you have root, or mount abilites inside a chroot it's easy to break out.
You should obviously drop root using su or similar, as long as the script doesn't have permissions to modify the interpreter files there shouldn't be a problem.
To do this you need to add a larger hunk of code in a copy of su, and the core bits of PAM.
Something like jailkit might be an easier way to manage this:
http://olivier.sessink.nl/jailkit/index.html