3.15. Restricting Services to Specific Filesystem Directories
Problem
You want to create a chroot cage to restrict a service to a particular directory (and its subdirectories) in your filesystem.
Solution
Create a chroot cage by running the GNU chroot program instead of the service. Pass the service executable as an argument. In other words, change this:
/etc/xinetd.conf or /etc/xinetd.d/myservice:
service myservice
{
...
server = /usr/sbin/myservice -a -b
...
}
into this:
service myservice { ... user = root server = /usr/sbin/chroot server_args = /var/cage /usr/sbin/myservice -a -b ... }
Discussion
chroot takes two arguments: a directory and a
program. It forces the program to behave as if the given directory
were the root of the filesystem,
“/”. This effectively prevents the
program from accessing any files not under the chroot cage directory,
since those files have no names in the chroot’ed
view of the filesystem. Even if the program runs with root
privileges, it cannot get around this restriction. The system call
invoked by chroot (which also is named
chroot
) is one-way: once it is invoked, there is
no system call to undo it in the context of the calling process or
its children.
A chroot cage is most effective if the program relinquishes its root privileges after it starts—many daemons can be configured to do this. A root program confined to a chroot cage can still wreak havoc by creating and using new device special files, or maliciously using system calls that are not related to ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.