Difference between setting up chroot jail and chroot command?
-
Hi,
I just finished watching Don's chroot jail lesson and as I understand it, these jails are something we create and configure to create a chrooted environment.
What is the chroot command how does it differ?
Thanks.
-
you will probably use this example at LEAST once in linux life....
if you blow away your bootloader or grub install on your linux box and your install exists on /dev/sdaX, you would need to run the grub-install on the installed linux OS that you cannot access... so you would...boot into an live disk... and then
mount /dev/sdaX /mnt
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/procthen you need to be able to run the grub install on, the not running-but mounted system...
so you would use the chroot command = chroot /mnt
making /mnt the new root directory (where your install lives)
now you can run grub-install sda; and then when you run update-grub, the command will run on your (mounted)install instead of the live system you booted up with. {again, your boot directory is under the chrooted /mnt so it is available to be written to (by the update-grub command) as the proper destination for the grub.cfg}myself, I have always thought this actually the same as chroot jailing, because you can't really leave the /mnt environment.. but I will let someone else that uses it more often chime in...
but that is what the chroot command does for you... -
I knew the Wu-Tang Clan were some of the greatest musicians the world had ever seen, but I had no idea they were Linux proficient as well :)
That being said, Wu-Tang is absolutely right. The chroot command pre-dates jails by over a decade and was originally designed to manage remote shells and FTP sessions. Users would connect and be presented with their home directory as the root of the file system. The original implementations weren't terribly secure and there were a number of ways to escape out into the rest of the file system through commands that weren't bounded by the false root. The newer chroot jails are designed to be actual security tools with protections to prevent escaping the jail, even through the use of commands unaware of the jail.
So, think of it this way: Use the chroot command when you just want to alias a directory to "/" but use chroot jails when you want to securely restrict an application environment.
Let me know if there is anything else I can help with.
Don "Bring da Ruckus" Pezet
-
@WU-TANG and @Don-Pezet Sorry for late response. That answered it perfectly--thank you!