HOWTO chroot daemons

This page is just an informational page that describes how to chroot various daemons. It is not intended to be comprehensive. I will gladly accept any suggested additions.

Where to locate the chroot directories is an interesting question. Some people find it convenient to place them in directories on the file system holding /etc (usually /) so that they can create hard links to the original files. This may be slightly less secure in that an attacker can modify the file, thereby modifying the one in /etc, which might be read by another non-chrooted program. Also, hard linking can be undone if you replace rather than overwrite a file.

Currently my practice for files specific to that program to create a symlink from its normal place to its chrooted counterpart. For example, I might mv /etc/ntp /var/chroot/ntpd/etc/ntp and then ln -s /var/chroot/ntpd/etc/ntp /etc/ntp.

named

Basically you run with "-t /chroot" command line option. On Fedora, add "ROOTDIR=/chroot" in /etc/sysconfig/named.

My minimal chroot area is as follows:

dev/log # created by "syslogd -a /var/chroot/named/dev/log"
dev/random # for DNSSEC use?
etc/localtime # cp /etc/localtime .
etc/named.conf # symlinked from /
etc/rndc.key # symlinked from /
var/named # symlinked from /
var/named/root.cache
var/named/slaves/BLAH
var/run/named # symlinked from /
var/run/named/named.pid # created by named

ntpd

Run this with "-T /chroot" command line option. On Fedora, add "OPTIONS="-T /var/chroot/ntpd" to /etc/sysconfig/ntpd.

My semi-minimal chroot area is as follows:

dev/log # created by "syslogd -a /var/chroot/ntpd/dev/log"
etc/localtime # cp /etc/localtime .
etc/ntp.conf # symlinked from /
etc/ntp # symlinked from /
etc/ntp/keys # ntp-genkeys -f
etc/ntp/ntp.keys.BLAH # ditto
etc/ntp/ntpservers # is this needed?
etc/ntp/step-tickers # is this needed?
var/lib/ntp/drift # symlinked from /
var/run/ntpd.pid # created by ntpd

privoxy

Run with --chroot on command line. I suggest adding it to /etc/init.d/privoxy.

My semi-minimal chroot area is as follows:

etc/privoxy # symlinked from /
etc/localtime # copied from /etc
lib/libresolv.so.2 # copied from /lib, needed for host name resolution
lib/libnss_dns.so.2 # copied from /lib, needed for host name resolution
var/log/privoxy # symlinked from /

Go to this level's index
Travis's Homepage auto92089@hushmail.com
Original date:
Updated: