chroot a few apps
Werner Schram
wrschram at gmail.com
Sat Jan 9 11:03:51 UTC 2010
On 01/09/2010 10:26 AM, Vadkan Jozsef wrote:
> Hi.
>
> What kind of chroot should I use, if I want to make a more secured
> desktop, running e.g.:
>
> pdf reader
> webbrowser
> audio player
> video player
> openoffice
> picture viewer
> mua
> ooo
> virtualbox
>
> e.g.: if theres a javascript vulnerability in google chrome [I haven't
> heard a NoScript extension for it :( ] a chroot would be good for
> stopping it from doing something bad with the whole system.
>
> or e.g.: I have to open a .doc file, that I don't trust, or a PDF can
> contain malicious code :(
>
> Any tips/docs/howtos?
>
You can create chroots using the debootstrap package. For example, these
commands create a basic jaunty system in /srv/chroot/my-jaunty:
mkdir -p /srv/chroot/my-jaunty
debootstrap jaunty /srv/chroot/my-jaunty
You can chroot into it by running:
mount --bind /dev /srv/chroot/my-jaunty/dev
sudo chroot /srv/chroot/my-jaunty /bin/bash
mount proc /proc -tproc
source /etc/profile
And then you can use apt-get to install the software you want. And you
can create a user account/password with the useradd and passwd command.
If you type exit, you will get out of it again. For running software you
should use schroot, which allows you to enter the chroot as a normal
user (not root).
You should note that the chroot uses the same kernel and memory as your
base system itself, so the applications still have ways of directly
influencing your base system. If you want more security, you could use
uml (user mode linux) or full virtualization with qemu, virtualbox or xen.
Werner
More information about the ubuntu-users
mailing list