Running Linux system inside a chroot environment allows a system admin to decrease an impact on a production server when the server gets compromised. Change root will change root directory to all current running processes and its children to a chroot jail. Testing of various package installations and server configuration in a chrooted environment can be another handy way how to utilize a chroot jail.
This tutorial will provide a reader with step by step guide on how to install Debian with ssh daemon inside chroot environment using debootstrap.
Install chroot environment
In the first step we will create a directory in which new chroot environment will reside. For convenience during the installation we also declare temporary bash shell variable CHROOT to hold a path to chroot environment.
# mkdir -p /mnt/chroot/squeeze # CHROOT=/mnt/chroot/squeeze
When new chroot directory is ready we will use debootstrap to install new Debian system within chroot environment. Change the architecture and debian version according to your needs. The installation may take some time as debootstrap will use your specified mirror to download and install core packages. Choose the closest mirror as it will rapidly reduce the installation time.
# debootstrap --arch i386 squeeze \ $CHROOT <URL OF DEBIAN MIRROR>
At the end of the installation you should seed output similar to the one below:
I: Configuring debian-archive-keyring... I: Configuring apt... I: Configuring libept0... I: Configuring apt-utils... I: Configuring aptitude... I: Configuring tasksel-data... I: Configuring tasksel... I: Base system installed successfully.
Connect your host proc system with chroot environment by mounting within chroot directory. This allows chroot access a hardware of your host system.
# mount -t proc proc $CHROOT/proc # mount -t devpts devpts $CHROOT/dev/pts
Now, we are ready to login into chroot and do some basic configuration. To not let aour selfs confuse with host and chroot environment we first change a root's PS1 variable to change a shell prompt to "CHROOT-squeeze:~#" . This step is optional but recommended: First login to chroot:
# chroot $CHROOT /bin/bash --login
execute a following linux command to permanently change root's shell prompt and exit:
CHROOT-squeeze:~# echo 'PS1="CHROOT-squeeze:\w# "' >> ~/.bashrc CHROOT-squeeze:~# exit
Next time you enter chroot environment you will have a new shell prompt:
# chroot $CHROOT /bin/bash --login
From this point on all commands which should be executes within chroot environment will have a prefix:
Next we will install and reconfigure locales.
CHROOT-squeeze:~# apt-get install locales
Now reconfigure your locales. For example if you are form Australia you add - en_AU ISO-8859-1 - en_AU.UTF-8 UTF-8 and choose : en_AU
# dpkg-reconfigure locales
Install chroot ssh daemon
Now we are ready to install any service within chroot environment. Let's start with ssh as this will allow us to login to chroot using ssh connection from LAN or WAN.:
NOTE: installation of vim is optional
CHROOT-squeeze:~# apt-get install vim ssh
Configure chrooted ssh service to listen on different port than 22 as it is most likely already occupied by your host system.
Edit a sshd_config file:
CHROOT-squeeze:~# vi /etc/ssh/sshd_config
and change line Port 22 to:
Restart a chroot sshd:
CHROOT-squeeze:~# /etc/init.d/ssh restart
Change a password for a chrooted root user:
Login remotely to chroot
If all went well we now should be able to login to new chroot environment using ssh:
ssh root@localhost -p 2222
Fine tune chroot
chroot ssh daemon will not start automatically when you turn on your host operation system. Therefore, create a simple shell script to do that task:
#!/bin/bash CHROOT=/mnt/chroot/squeeze # change mount -t devpts devpts $CHROOT/dev/pts mount -t proc proc $CHROOT/proc chroot $CHROOT /etc/init.d/ssh start
and as a last step make a simbolic link to /etc/rc2.d/:
# ln -s /etc/init.d/chroot-squeeze /etc/rc2.d/S98chroot-squeeze
Now you should have a fully functional chroot environment. Feel free to explore and install additional services.