Chroots For Security

A lot of people will tell you that Chroot is not designed for security and therefor can’t be used for security. They’ll mention how simple it is to bypass Chroots.

The thing about it is, there’s actually no way to bypass a Chroot without root (not consistently.)

There is actually nothing wrong at all with using a Chroot environment in order to secure an application. You reduce visible attack surface and isolate potentially exploitable programs. I’m not saying to rely on it but as a layer it can prove valuable.

So why the nay-sayers?

Well, for some reason people think that because Chroot can’t contain root it can’t contain anything. The simple fact is that you can combine Chroot with Apparmor to avoid all known bypasses of Chroot (you can restrict admin, chroot capability, all sorts of stuff that could be used.)

So I definitely recommend using Apparmor if you make use of Chroot… but even if you don’t Chroot is pretty great. Visible attack surface within Chroot is greatly reduced – an unrestricted user program within Chroot will give a hacker a harder time than an unrestricted user program outside of a Chroot. They do still need a privilege escalation if they want to break out, and it’s more difficult to get one of those escalation exploits when you’re limited to a Chroot that provides only what’s necessary for the program to run.

So I’m going to just come out and say that Chroots are totally fine for security if they’re used right. For restricting non-root services/ programs it’s definitely fine. If you happen to use Grsec patches to harden your Chroots you can even restrict root services/ programs and remove all known capabilities that lead to a bypass. View chroot as just another tool or layer, not a full solution.

My 2 cents on the matter.

One thought on “Chroots For Security

  1. What does your apparmor profile look like for a chroot jail?

    Also, if I just wanted to use chroot to run firefox (xnest/xhost would be strictly be running inside of the chroot, but will run on the same display as my current tty) would I just have copy my current profile over in the chroot and run apparmor inside the chroot, or would I have to edit my current profile to match the location of the chroot’d firefox and not run apparmor inside of the jail?

    Thank you,

Leave a Reply

Your email address will not be published. Required fields are marked *