This page is just an informational page that describes how to chroot various daemons. It is not intended to be comprehensive. I will gladly accept any suggested additions.
Where to locate the chroot directories is an interesting question. Some people find it convenient to place them in directories on the file system holding /etc (usually /) so that they can create hard links to the original files. This may be slightly less secure in that an attacker can modify the file, thereby modifying the one in /etc, which might be read by another non-chrooted program. Also, hard linking can be undone if you replace rather than overwrite a file.
Currently my practice for files specific to that program to create
a symlink from its normal place to its chrooted counterpart. For
example, I might mv /etc/ntp /var/chroot/ntpd/etc/ntp
and then ln -s /var/chroot/ntpd/etc/ntp /etc/ntp.
Basically you run with "-t /chroot" command line option. On Fedora, add "ROOTDIR=/chroot" in /etc/sysconfig/named.
My minimal chroot area is as follows:
dev/log # created by "syslogd -a /var/chroot/named/dev/log" dev/random # for DNSSEC use? etc/localtime # cp /etc/localtime . etc/named.conf # symlinked from / etc/rndc.key # symlinked from / var/named # symlinked from / var/named/root.cache var/named/slaves/BLAH var/run/named # symlinked from / var/run/named/named.pid # created by named
Run this with "-T /chroot" command line option. On Fedora, add "OPTIONS="-T /var/chroot/ntpd" to /etc/sysconfig/ntpd.
My semi-minimal chroot area is as follows:
dev/log # created by "syslogd -a /var/chroot/ntpd/dev/log" etc/localtime # cp /etc/localtime . etc/ntp.conf # symlinked from / etc/ntp # symlinked from / etc/ntp/keys # ntp-genkeys -f etc/ntp/ntp.keys.BLAH # ditto etc/ntp/ntpservers # is this needed? etc/ntp/step-tickers # is this needed? var/lib/ntp/drift # symlinked from / var/run/ntpd.pid # created by ntpd
Run with --chroot on command line. I suggest adding it to /etc/init.d/privoxy.
My semi-minimal chroot area is as follows:
etc/privoxy # symlinked from / etc/localtime # copied from /etc lib/libresolv.so.2 # copied from /lib, needed for host name resolution lib/libnss_dns.so.2 # copied from /lib, needed for host name resolution var/log/privoxy # symlinked from /