How to Use the chroot Command on Linux

A terminal prompt on the screen of a Linux laptop.Fatmawati Achmad Zaenuri /

The chroot command can send you to jail, keep your development or test environments isolated, or simply improve the security of your system. We show you the easiest way to use it.

What's a chroot?

If you are trying to measure the utility of an order, you need to consider its features and its ease of use. If it's too complicated for users or too slow to make them want to try to use it, the functionality may also be nil. If nobody uses it, it does not provide any functionality.

In discussions with Linux users, in person and on the forums, it seems that the chroot command is considered difficult to use, or too insightful and tedious to install. It seems that this great utility is not used as much as it could be.

With chroot, you can configure and run programs or interactive shells such as Bash in an encapsulated file system that can not interact with your usual file system. Everything in the environment chroot is written and content. Nothing in the environment chroot can see beyond its own special root directory without going to root privileges. This has earned this type of environment the nickname of prison chroot. The term "prison" should not be confused with From FreeBSD command jail, which creates a chroot environment it's more secure than the usual chroot environment.

But in reality, there is a very simple way to use chroot, which we will follow. We use regular Linux commands that will work on all distributions. Some Linux distributions have dedicated tools for configuring chroot environments, such as debootstrap for Ubuntu, but we are distro-agnostic here.

When should I use a chroot?

A chroot environment provides functionality similar to that of a virtual machine, but it is a lighter solution. The captive system does not need a hypervisor to be installed and configured, such as VirtualBox or Virtual Machine Manager. There is no need for a kernel to be installed in the captive system either. The captive system shares your existing kernel.

In some ways, chroot environments are closer to containers such as LXC only for virtual machines. They are lightweight, quick to deploy, and the creation and triggering of a system can be automated. As with containers, a convenient way to configure them is to install the operating system in sufficient numbers to perform your tasks. The "What's Needed" question is solved by looking at how you are going to use your chroot environment.

Some common uses are:

Software Development and Product Verification. Developers write software and the Product Verification (PV) team tests them. Sometimes problems detected by PV can not be replicated to the developer's computer. The developer has installed on his development computer all kinds of tools and libraries that the average user – and the PV software – do not have. Often, new software that works for the developer but not for others uses a resource on the developer's PC that was not included in the test version of the software. chroot allows developers to have on their computer a clear and captive environment in which they can install the software before transferring it to PV. The captive environment can be configured with minimal minimal dependencies required by the software.

Reduce development risks. The developer can create a dedicated development environment so that nothing that happens in the latter will disrupt the operation of his PC.

Execution of obsolete software. Sometimes, you just have an old version of something running. If the old software has requirements that might conflict or be incompatible with your version of Linux, you can chroot an environment for the problematic software.

Recovering and Upgrading the File System: If a Linux installation becomes unusable, you can use chroot to mount the damaged file system on a mount point of a Live CD. This allows you to work on the damaged system and try to repair it as if it were mounted normally to the root. This means that the expected file paths in the damaged system will be correctly referenced from the root directory and not from the Live CD mount point. A similar technique was used in the article describing the migration of the Linux file system from ext2 or ext3 to ext4.

Ringfencing Applications. Running an FTP server or other device connected to the Internet in a chroot environment limits the damage that an external attacker can cause. This can be a valuable step in enhancing the security of your system.

RELATED, RELATED, RELATED: How to migrate Ext2 or Ext3 file systems to Ext4 on Linux

Create a chroot environment

We need a directory that acts as the root directory of the chroot environment. To have a shortcut to refer to this directory, we will create a variable and store the name of the directory. We are configuring a variable to store a path to the "testroot" directory. It does not matter if this directory does not exist yet, we will create it soon. If the directory exists, it must be empty.

chr = / home / dave / testroot

chr = / home / dave / testroot in a terminal window

If the directory does not exist, we must create it. We can do it with this command. The -p (parents) option ensures that all missing parent directories are created at the same time:

mkdir -p $ chr

mkdir -p $ chr in a terminal window

We need to create directories containing the parts of the operating system needed for our chroot environment. We will configure a minimalist Linux environment that uses Bash as an interactive shell. We will also include the touch, rm, and ls commands. This will allow us to use all built-in Bash commands, as well as touch, rm and ls. We will be able to create, list and delete files and use Bash. And in this simple example, that's all.

List the directories you need to create in the {} list. corset expansion.

mkdir -p $ chr / {bin, lib, lib64}

mkdir -p $ chr / {bin, lib, lib64} in a terminal window

We will now change directories in our new root directory.

cd $ chr

cd $ chr in a terminal window

Let's copy the binaries we need into our minimalist Linux environment from your usual "/ bin" directory in our chroot "/ bin" directory. The -v (verbose) option allows cp to tell us what it does with each copy action.

cp -v / bin / {bash, touch, ls, rm} $ chr

cp -v / bin / {bash, flick, ls, rm} $ chr terminal window in

The files are copied for us:

cp output when files are copied to a terminal window

These binaries will have dependencies. We must also discover what they are and copy these files into our environment, otherwise bash, touch, rm and ls will not work. We have to do this in turn for each of our chosen orders. We will do Bash first. The ldd command will be list dependencies for us.

ldd / bin / bash

ldd / bin / bash in a terminal window

The dependencies are identified and listed in the terminal window:

Bash dependencies listed in a terminal window

We need to copy these files into our new environment. Choosing the details of this list and copying them one at a time will require a lot of time and error.

Fortunately, we can semi-automate. We will list the dependencies again and this time we will form a list. Then we will go through the list by copying the files.

Here, we use ldd to list the dependencies and feed the results via a tube in egrep. Using egrep is equivalent to using grep with the -E (extended regular expressions) option. The -o option (only corresponding) limits the output to the corresponding line parts. We are looking for matching library files ending with a number [0-9].

list = "$ (ldd / bin / bash | egrep -o & # 39; / lib. * .[0-9]& # 39;) "

We can check the contents of the list using echo:

echo $ list

echo $ list in a terminal window

Now that we have the list, we can go through it with the next loop, copying the files one by one. We use the variable i to browse the list. For each member of the list, we copy the file to our chroot root directory, which is the value of $ chr.

The -v (verbose) option causes cp to announce each copy as it executes it. The –parents option ensures that all missing parent directories are created in the chroot environment.

for i in the list $; do cp -v –parents "$ i" "$ {chr}"; completed

Here's the result:

output of the cp loop in a terminal window

We will use this technique to capture the dependencies of each of the other commands. And we will use the loop technique to perform the actual copy. The good news is that we only need to make a small change to the command that groups the dependencies.

We can retrieve the order of our history by pressing the up arrow key several times and then making the change. The loop copy command does not need to change.

Here we used the up arrow key to find the command, and we changed it to say touch instead of bash.

list = "$ (ldd / bin / touch | egrep -o & # 39; / lib. * .[0-9]& # 39;) "

We can now repeat exactly the same loop command as before:

for i in the list $; do cp -v –parents "$ i" "$ {chr}"; completed

And our files are copied for us:

foutput the cp loop by copying the touch dependencies in a terminal window

We can now edit the command line of the list for ls:

list = "$ (ldd / bin / ls | egrep -o & # 39; / lib. * .[0-9]& # 39;) "

Again, we will use the same loop control. It does not matter which files are in the list. It works blindly in the list by copying the files for us.

for i in the list $; do cp -v –parents "$ i" "$ {chr}"; completed

And the dependencies for ls are copied for us:

Output the cp loop by copying the ls dependencies in a terminal window

We are modifying the list command line for the last time, which works for rm:

list = "$ (ldd / bin / ls | egrep -o & # 39; / lib. * .[0-9]& # 39;) "

We use the loop copy command one last time:

for i in the list $; do cp -v –parents "$ i" "$ {chr}"; completed

The last of our dependencies are copied to our chroot environment. We are finally ready to use the chroot command. This command sets the root of the chroot environment and specifies which application should be run as a shell.

sudo chroot $ chr / bin / bash

sudo chroot $ chr / bin / bash in a terminal window

Our chroot environment is now active. The prompt of the terminal window has changed and the interactive shell is managed by the bash shell of our environment.

Active chroot environment in a terminal window

We can try the commands we have introduced into the environment.

ls / home / dave / Documents

Active chroot environment in a terminal window

The ls command works as expected when we use it in the environment. When we try to access a directory outside of the environment, the command fails.

We can use touch to create a file, ls to list it, and rm to delete it.

touch sample_file.txt
rm sample_file.txt

touch sample_file.txt in a terminal window

Of course, we can also use the built-in commands provided by the Bash shell. If you type help on the command line, Bash will list them for you.

Help me

Exiting the help command in a terminal window

Use exit to exit the chroot environment:


use exit to exit the chroot environment in a terminal window

If you want to remove the chroot environment, you can simply delete it:

rm -r testroot /

rm -r testroot / in a terminal window

This will recursively delete files and directories from the chroot environment.

Automate for convenience

If you think that chrooted environments might be useful for you, but that they are a little tedious to configure, remember that you can always relieve repetitive tasks by taking aliases, functions and scripts.

RELATED, RELATED, RELATED: How to create aliases and shell functions in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.