How to Use Chroot in Linux and Fix Your Broken System | #linux | #linuxsecurity


Chroot is a Linux/Unix utility that can change or modify the root filesystem. With the help of the chroot command, you can easily create an isolated filesystem inside your primary filesystem. Chroot is especially helpful to make your work and home environment separated or if you want a test environment to test software in isolation.

Difference Between Chroot and Virtual Machine

At the first glance, you can think of chroot as similar to a virtual machine or a containerized system like docker. It is kind of similar but chroot is a much lighter solution than a virtual machine. The virtual machine needs a hypervisor to install and work on a separate kernel, which is different from the host machine. Unlike a virtual machine, chroot shares the same kernel and processes, but creates a jail in the filesystem. Inside the jail, it is not possible to look outside without root permission. Therefore the isolated filesystem is also called chroot jail.

Different Use Cases of Chroot

  1. Isolated build environment in CI/CD pipeline: Chroot is used to create an isolated build environment for applications in CI/CD pipeline. This helps to build your application with unique dependencies and is completely isolated from all other build environments to remove potential conflicts.
  2. Separate development and testing environment: Often, software that works on the developer machine doesn’t work on the end-user device. This is because the developer has a lot of tools and dependencies installed in his system. Normal people don’t have all those dependencies installed on their machines. So to test the software, if it will run on all devices, the developer or tester can easily make a plain vanilla environment using chroot to test their software.
  3. Reduce risk for the developer: As a developer, we often make some programs that interact with our system files without any proper sandboxing. Therefore, if we make some mistake, our software can easily wipe our important data from our device. To reduce such type of risk, the developer often uses chroot to create a new working environment and reduce their risk of losing data.
  4. A different version of the same software: Sometimes you need to install some very old or very recent version of some software or dependency for development purposes. But using such a conflicting dependency can mess up your system. This situation can be easily overcome by using chroot jail.
  5. Fix a broken system: If you have a broken system, you can easily repair it with the help of chroot. Just boot a live Linux environment in the device and mount the filesystem. Using this mount point, you can run different commands to fix your issue. We will discuss about it later in the article.
  6. Safely running an FTP server: FTP stands for file transfer protocol. Running an FTP server gives you the control to share only those files that you wanted. Therefore no remote peer can see your host file system and access them.

Creating a Chroot Environment

This is a quick guide on creating a chroot environment in your system. You can get in-depth information on the arch wiki.

  1. To make a chroot environment, create a new directory inside your home folder. Inside this folder, our isolated filesystem will be present in the future. In this tutorial, I named the folder as “mte”.
  1. Next, we will create a very minimal Linux environment. We install bash as a shell inside the chroot environment and install ls, rm, and touch to list, remove and create files respectively. Now let’s create required directories inside our “mte” directory.
cd ~/mte
mkdir bin
mkdir lib
mkdir lib64
  1. Copy the required binaries from our regular “/bin” directory to our “~/mte” chroot environment.
cp /bin/bash ~/mte/bin
cp /bin/touch ~/mte/bin
cp /bin/ls ~/mte/bin
cp /bin/rm ~/mte/bin
  1. Copying the binaries is not enough. We also have to copy their dependencies to the “mte” folder. To know the required dependencies, we use the ldd command. If you want to know the dependency of bash, then run

We get this output from the above command.

Chroot Ldd, self captured
  1. Now listing those dependencies and copying them one by one will be painstakingly slow and boring. Therefore, to automate this process, we will use a bash script. Create a file named “copydependancy.sh” and write these shell commands inside it.
#Setting the chroot directory
mte="~/mte"
 
# enter your binary name
echo -e "Please enter your binary name \n"
 
#Reading from terminal input
read binaryname
 
# Listing all the dependencies
list="$(ldd /bin/$binaryname | egrep -o '/lib.*\.[0-9]')"
 
# Looping through the dependency list
for i in $list; do cp -v --parents "$i" "${mte}"; done

Let’s understand what this script does. At first, This shell script asks for the binary name. Then it takes this binary name and finds all the dependency of that binary and saves it inside a list variable. Then it runs a for-loop which runs on every item of the list and copies the dependency from our normal “/bin” file to our “mte” chroot directory.

Save this script somewhere else and refer to it when you create a new chroot environment.

Next, change the permission of the script and run it inside our terminal.

chmod +x copydependancy.sh
  1. As all the dependencies are installed in our system, let’s activate our chroot environment. The standard chroot command looks like this.
chroot [-OPTION] [PATH FOR NEW ROOT] [PATH FOR SERVER]

But to fulfill our purpose, we run the following command to activate our chroot environment.

sudo chroot ~/mte /bin/bash

The above command activates a chroot environment in the “~/mte” directory and specifies to run a bash shell. Now you can see a change in your terminal prompt and you can now use the touch, rm, and ls commands to create, remove and list files respectively.

To exit the chroot environment, you can run the exit command to exit chroot environment.

If you want to remove the chroot environment completely, then you can simply delete the “mte” directory from your filesystem.

Fix a Broken Bootloader Using Chroot

The most fascinating thing about chroot is you can enter a broken system and run a command inside it. Therefore using chroot, you can easily install some critical update to fix a system or can reinstall the entire bootloader to fix the issue.

But for that, you should have a live Linux environment. Make a bootable USB by downloading a Linux ISO and booting from the USB. It gives you a live environment to work with. Now mount your system partition to work with chroot.

sudo mount -t ext4 /dev/sda /mnt

Here change the “/dev/sda” with your intended system partition name that you want to work with. Now let the grub bootloader find the information that it needs to fix the bootloader issue.

sudo mount --bind /dev /mnt/dev &&
sudo mount --bind /dev/pts /mnt/dev/pts &&
sudo mount --bind /proc /mnt/proc &&
sudo mount --bind /sys /mnt/sys

Now, let’s chroot into “/mnt” directory and enter the broken system.

Now install, check, and update the grub bootloader in your system. Make sure to use the proper drive name. Don’t copy-paste these command blindly.

grub-install /dev/sda
grub-install --recheck /dev/sda
update-grub

Then exit the shell using the exit command. We mentioned it earlier. Now unbind the previously bind directories and unmounted the filesystem. Run those commands one after another consecutively.

sudo umount /mnt/sys &&
sudo umount /mnt/proc &&
sudo umount /mnt/dev/pts &&
sudo umount /mnt/dev &&
sudo umount /mnt

Now reboot your PC and unplug the live USB. When the computer will boot up, your grub bootloader will shine as new and everything should work perfectly fine.

Frequently Asked Questions

Is Chroot Secure?

Chroot doesn’t imply security. It never intended to become one. For security, you can use SELinux. If you put someone inside a chroot directory, they don’t have access to the root filesystem. But it doesn’t mean that it makes your system unbreakable. Chroot doesn’t also mean less security. It just represents an equal amount of security as your main system. Nothing more, nothing less.

What are the limitations of Chroot systems?

Chroot system is not meant to protect against intentional tempering by the root user. In some systems, chrooted programs can get sufficient privilege to create their own chroot environment and break out from the chroot jail. Cheroot doesn’t mean complete isolation. You can usually do whatever you want to do in userspace. You can access hardware devices, you can mount and read anything. This is provided you don’t have to install any other program, then you need the root privilege that you don’t have.

Why Chroot is called jail?

Chroot is called a jail as it locks you inside an isolated environment. You can do whatever you want inside this jail but you can’t leave out of it without the permission of the root user. Also, you have a limited supply of utility provisioned by the root user and you can’t install anything for yourself. For all those restrictions it is called chroot jail.

Is this article useful?

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox



Original Source link

Leave a Reply

Your email address will not be published.

− 2 = one