Available on all Linux and Unix systems, chroot jails can secure untrusted applications and make trusted ones almost impenetrable. Here’s how to build them.
“Security” is one of those “buzzwords du jour,” and there seems to be as many approaches to security as there are opinions on Microsoft. However, unlike other hot topics (or “CEO hot buttons”) that come and go, effort spent on security almost always pays off. Moreover, having a multitude of security techniques is a very good thing. There are umpteen ways to hack a system, and the savvy system administrator maintains a substantial and varied arsenal of countermeasures. Firewalls, honey pots, intrusion detection, and SSH are just a few tricks of the Linux security trade.
Application jails, also known as “change root jails” or “chroot jails,” are another effective countermeasure. Supported by all Linux and Unix systems, application jails put up a nearly impenetrable barrier between the “jailed” software and the rest of the system. And because a jail is enforced by the operating system and not by an application, it can provide an enormous level of safety. A chroot jail “incarcerates” untrusted applications, and acts like a guard, almost literally, for applications that already have substantial security measures built-in.
This month, let’s learn about jails. Let’s throw an application into “solitary,” and make it a model citizen.
Uprooting Root
The chroot() system call has been with UNIX since at least Version 7 (released in 1979). As its name implies, chroot() changes the root directory of the calling process.
What does that mean? Think of chroot() as a kind of reality distorter. Once…
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
