DragonFly On-Line Manual Pages

Search: Section:  

chroot_safe(1)         DragonFly General Commands Manual        chroot_safe(1)


NAME

       chroot_safe - Chroot dynamically linked applications in a sane and safe
       manner


SYNOPSIS

       chroot_safe user chroot_directory application [arguments...]


DESCRIPTION

       chroot_safe is a tool to chroot any application in a safe and sane
       manner without requring binaries, shared libraries etc within the
       chroot or any support from the application. Works with any dynamically
       linked application.

       Normally when you chroot applications not having native support for
       chroot there is a number of obstacles to overcome

       1.     The binary must be within the chroot jail

       2.     All libraries used by the binary must be within the chroot jail

       3.     chroot does not drop root privileges

       4.     su nobody -c does not chroot

       Shortcomings 3 & 4 can be addressed by writing a small tool replacing
       chroot, but you still have limitations 1 & 2.

       chroot_safe addresses all four of these shortcomings by at runtime
       linking instrument the application to perform a full chroot and drop
       all root privileges just after dynamic linking has completed but before
       the application as such is started. This is done via a small LD_PRELOAD
       stub and a shell wrapper giving instructions on how to chroot.


EXAMPLES

       Here is a silly example demonstrating the power of this application:
       chroot "ls -l" to /tmp in a safe manner without needing to prepare
       anything in /tmp

              chroot_safe nobody /tmp ls -l

       Note: This example does not work on FreeBSD or other platforms where ls
       is statically linked.

       You can also find a howto chroot an anonymous CVS server online at the
       chroot_safe website <http://chrootsafe.sourceforge.net/>


NOTES

       This application utilizes some shared library loading tricks to
       instrument the application with the required chroot hooks. Because of
       this it won't work on statically linked applications.

       If there is any problem chrooting the application an error message is
       printed on stderr, and execution of the application is terminated.

       Root privileges are required to chroot applications.

       For details on the inner workings see the comments in the source.


AUTHOR

       Henrik Nordstrom <hno@marasystems.com>


REPORTING BUGS

       Send bug fixes or improvements to the author


SEE ALSO

       chroot(8), su(1), http://chrootsafe.sourceforge.net/

1.4                               9 Apr 2005                    chroot_safe(1)

Search: Section: