linux chroot
Sometimes, you may need to isolate a process from other processes running on your system. We can do this with the use of the chroot command in Linux.
有时,您可能需要将一个进程与系统上运行的其他进程隔离。 我们可以在Linux中使用chroot命令来做到这一点。
In this tutorial, we will show you what the chroot command is and how you can use the command to create a chroot jail and trap a user or a group in an isolated environment.
在本教程中,我们将向您展示chroot命令是什么,以及如何使用该命令创建chroot监狱并在隔离的环境中捕获用户或组。
了解Linux中的chroot命令 (Understanding the chroot Command in Linux)
The chroot command is essential in Linux systems. It helps you change the root directory for a process along with its child processes. When we create a fake root directory for a user or group, it loses access to the true root directory.
chroot命令在Linux系统中是必不可少的。 它可以帮助您更改进程及其子进程的根目录。 当我们为用户或组创建伪根目录时,它将失去对真实根目录的访问权限。
Hence, the user or group is now isolated from the rest of our system. This can have many uses, such as the following:
因此,用户或组现在与我们系统的其余部分隔离了。 这可以有很多用途,例如:
- Create a test environment for software development and testing. 创建用于软件开发和测试的测试环境。
- Initialize reinstallation of the bootloader files on your system 初始化系统上引导加载程序文件的重新安装
- Run software which may be decrepitated 运行可能已损坏的软件
- Enhance security using a ringfencing mechanism 使用环网机制增强安全性
The chroot command essentially creates a virtual environment. Its function is similar to a virtual machine, but it doesn’t require you to devote dedicated resources for the chroot jail.
chroot命令实际上创建了一个虚拟环境。 它的功能类似于虚拟机,但是不需要您为chroot监狱投入专用资源。
The virtual environment shares all the kernel with the host system.
虚拟环境与主机系统共享所有内核。
chroot命令的语法 (Syntax of the chroot Command)
The chroot command in Linux has the following syntax.
Linux中的chroot命令具有以下语法。
chroot [-OPTION] [PATH FOR NEW ROOT] [PATH FOR SERVER]
The only parameter necessary to run a chroot command is the path for the new root directory. However, you can use the options available in the chroot command to achieve your desired results.
运行chroot命令所需的唯一参数是新根目录的路径。 但是,您可以使用chroot命令中可用的选项来获得所需的结果。
Here are the options at your disposal when you use the chroot command in Linux.
在Linux中使用chroot命令时,可以使用以下选项。
- –userspec=USER[:GROUP] – Used to define the user or the group which we wish to use the chroot command on. We can specify the group or user we wish to use by name or ID –userspec = USER [:GROUP] –用于定义希望使用chroot命令的用户或组。 我们可以按名称或ID指定要使用的组或用户
- –groups=G_List – Used to specify supplementary groups we wish to use as G1, G2… Gn –groups = G_List –用于指定我们希望用作G1,G2…Gn的补充组
- — help – Shows you a help screen and exits —帮助–显示帮助屏幕并退出
- –version – Displays the version data and exits –version –显示版本数据并退出
创建一个chroot命令监狱 (Creating a chroot command jail)
Now that we understand the chroot command and its syntax, it is time to use it. To show you how it’s done, we will create a chroot jail.
现在,我们了解了chroot命令及其语法,是时候使用它了。 为了向您展示它是如何完成的,我们将创建一个chroot监狱。
A chroot jail is a virtual environment created by changing the root directory of a user or group to a new directory. This new directory serves as the fake root directory for our chroot jail.
chroot监狱是通过将用户或组的根目录更改为新目录而创建的虚拟环境。 这个新目录用作chroot监狱的伪根目录。
Let’s go over the steps that you need to do to use the chroot command in Linux to create a chroot jail.
让我们回顾一下在Linux中使用chroot命令创建chroot监狱所需的步骤。
1.创建目录 (1. Create a Directory )
First, we will begin by creating a fake root directory at /home/chroot_jail using the mkdir command.
首先,我们将使用mkdir命令在/ home / chroot_jail创建一个伪造的根目录开始。
mkdir $home/chroot_jail
This will create a directory at the given address which we will use for our chroot jail. However, before we let chroot command do its job, we need to add the required files to our new directory.
这将在给定地址创建一个目录,该目录将用于chroot监狱。 但是,在让chroot命令执行其工作之前,我们需要将所需文件添加到新目录中。
2.添加所需的根目录 (2. Add Required Root Directories)
We will start by creating the /bin, /lib and /lib64 in our jail directory. The command to create these directories is given below.
我们将从在jail目录中创建/ bin,/ lib和/ lib64开始。 下面给出了创建这些目录的命令。
mkdir -p $home/chroot_jail/{bin,lib,lib64}
As you can notice, the directories we are creating within our virtual environment are specified in braces (‘{}’).
如您所见,我们在虚拟环境中创建的目录以大括号('{}')指定。
Now, we will use the cd command to make chroot_jail our new root directory.
现在,我们将使用cd命令将chroot_jail设为新的根目录。
cd $home/chroot_jail
3.移动允许的命令二进制文件 (3. Move the Allowed Command Binary Files)
We are making a minimalistic Linux environment for this example. Let’s use the bash, ls, rm and touch commands to be a part of our virtual environment’s functionality.
我们为此示例制作了一个简约的Linux环境。 让我们使用bash,ls,rm和touch命令作为虚拟环境功能的一部分。
Copy the binaries from our root /bin directory to our chroot_jail’s /bin directory. We do so using the cp command with the -v (verbose) tag so we can see what is being copied at the given moment.
将二进制文件从根目录/ bin复制到chroot_jail的/ bin目录。 我们使用带有-v(详细)标记的cp命令来执行此操作,因此我们可以看到在给定时刻正在复制的内容。
cp -v /bin/{bash,touch,ls,rm} $home/chroot_jail
As you can see, the binaries which we wish to copy are mentioned in braces. The files from the given binaries have now been copied to our new chroot jail directory.
如您所见,括号中提到了我们要复制的二进制文件。 来自给定二进制文件的文件现在已复制到我们新的chroot jail目录中。
4.解决命令依赖性 (4. Resolving Command Dependencies)
But these binaries will have dependencies. The dependencies for bash can be found using the ldd command.
但是这些二进制文件将具有依赖性。 bash的依赖项可以使用ldd命令找到。
ldd /bin/bash
Now we will use the cp command to carefully copy the directories to our chroot jail one by one. We should make sure to copy all the dependency libraries, else our chroot jail will not work properly. Replace the <list dependencies here> part with the directories separated by commas.
现在,我们将使用cp命令将目录仔细地一个一个地复制到chroot监狱。 我们应该确保复制所有依赖库,否则我们的chroot监狱将无法正常工作。 用逗号分隔的目录替换<listdepend here here>部分。
cp -v {<List dependencies here>} $home/chroot_jail/lib64
We will repeat these steps for all the commands that we want to allow within the chroot jail. Find the dependency libraries and copy them to the chroot_jail directory.
对于要在chroot监狱中允许的所有命令,我们将重复这些步骤。 查找依赖项库,并将它们复制到chroot_jail目录。
5.切换到新的根目录 (5. Switching to the New Root Directory)
Now, all that we have left to do is to change the root directory of our chroot jail to the new fake directory we just created.
现在,我们要做的就是将chroot监狱的根目录更改为我们刚刚创建的新伪目录。
To change the directory and specify bash to run as the application which we run as the shell for our virtualized environment, we use the following command.
要更改目录并指定bash作为虚拟环境的外壳程序运行的应用程序,我们使用以下命令。
sudo chroot $home/chroot_jail/bin/bash
You may be prompted to enter your user password to continue. In that case, enter your user password and the command will be executed.
系统可能会提示您输入用户密码以继续。 在这种情况下,输入您的用户密码,命令将被执行。
If you have followed all the steps correctly, you should expect to see an output similar to the following on your screen.
如果正确执行了所有步骤,则应该在屏幕上看到类似于以下内容的输出。
As you can see in the screenshot, the bash version 4.4 is now running as the shell for our chroot jail.
如您在屏幕快照中所见,bash版本4.4现在作为chroot监狱的外壳运行。
Now, our minimalistic virtual Linux environment has been created and it is ready to use. We can interact with the virtual environment using bash like a regular Linux system.
现在,我们的极简虚拟Linux环境已经创建并可以使用。 我们可以像常规Linux系统一样使用bash与虚拟环境进行交互。
结论 (Conclusion)
The chroot command in Linux is a simple yet effective command in a Linux user’s toolset. Its ability to create a virtualized environment, without the need for any monitoring software as we see with virtual machines, makes it a light alternative for this use.
Linux中的chroot命令是Linux用户工具集中的一个简单而有效的命令。 它具有创建虚拟化环境的能力,而无需像我们在虚拟机上看到的那样需要任何监视软件,这使其成为此用途的简便替代方案。
This tutorial aimed to help you understand what chroot is and then show you how to build a simple chroot jail. If you have any queries, feedback or suggestions, feel free to reach out to us in the comments below.
本教程旨在帮助您了解chroot是什么,然后向您展示如何构建一个简单的chroot监狱。 如果您有任何疑问,反馈或建议,请随时通过以下评论与我们联系。
翻译自: https://www.journaldev.com/38044/chroot-command-in-linux
linux chroot
扫一扫
2008
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
