chrootexec

chrootexec

Robbert Haarman

2010-12-11


Introduction

chrootexec allows normal users to run commands in chroot jails.


Download

The following downloads are available:


Installation

Compiling and installing chrootexec is as simple as:

$ make && sudo make install

If desired, an alternate installation prefix (default is /usr/local) can be specified by setting the PREFIX environment variable:

# env PREFIX=/usr make install

See the Makefile for additional details.


Examples

Simple sanity test (assuming statically linked /bin/pwd):

$ chrootexec /bin ./pwd
/

A more useful example: setting up the muhttpd webserver to run inside a chroot jail. First, create the directory hierarchy:

$ mkdir -p fakeroot/{etc,usr/{lib,libexec,sbin},var}

Then, copy the necessary files (the exact files and locations depend on your system, of course):

$ cp /usr/lib/libc.so.* fakeroot/usr/lib/
$ cp /usr/libexec/ld.so fakeroot/usr/libexec/
$ cp /usr/local/sbin/muhttpd fakeroot/usr/sbin
$ cp -r /etc/muhttpd fakeroot/etc/
$ cp -r ~/www fakeroot/var/

Edit the configuration files to your needs, and, finally, Start the server:

$ chrootexec fakeroot /usr/sbin/muhttpd &

Security

For correct operation, chrootexec must be installed suid root. This gives it root priviliges on startup, which allow it to change the root directory. As soon as this is done, it drops root privileges. The command passed to chrootexec is run under the user who invoked chrootexec.