Previously, we’ve looked at allowing access to and limiting administrative commands a user can run by using the sudo command. But you may also want to limit which regular commands a user is allowed to access and use. While Linux has no simple way of doing this directly, it is possible to achieve this goal through the use of the chroot command.
The chroot command’s function is to change the root directory in use by the current session. It’s a command commonly employed when trying to fix a system that isn’t booting after booting from a recovery disk. Once employed it makes the filesystem root for the user’s session the directory that is provided to the command. By using chroot you can make a user’s filesystem root be a directory mimicking the normal root directory but with limited applications and files that can be used. The downside to this is that this replacement root directory will take up additional space on the filesystem and if you want different setups for different users then you’ll need to create multiple versions of this root filesystem.
Creating Filesystems For Each User
If you want to set this up for your users then there’s a bit of work that needs to be done to create the fake root filesystems. First, we need to create a list of the commands that we want our users to be able to use. Once we have this list, we can then create the replication of the root filesystem needed to support them. Next, we’ll create the directory to store this filesystem in:
sudo mkdir /fakeroot
Within this fakeroot directory we’ll need to recreate a lot of the directory structure that we normally see on the Linux system.
sudo mkdir bin dev etc etc/pam.d home lib lib/security lib64 var var/log usr usr/bin
For this example, I’m going to include the command bash. This will be done on an Ubuntu system though the method, if not the paths, will be the same for any Linux system. To include more files you’ll need to repeat the following steps to set up the application. The first thing you need to do is find the full path to the command you want to use, this can be done with the which command:
This will give you the path to the program that will be called if you type bash. In my case, it was /bin/bash so we need to copy that to the same place in the fakeroot:
sudo cp /bin/bash /fakeroot/bin/bash
Next we need to ensure that all the libraries the bash command uses are accessible. This can be done with the ldd command:
The output should look something like:
linux-vdso.so.1 => (0x00007ffda3534000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f47c02e5000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f47c00e1000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f47bfd17000)
This shows the library files full paths, so all you need to do is copy those files over to your fakeroot directory:
sudo mkdir /fakeroot/lib/x86_64-linux-gnu
sudo cp /lib/x86_64-linux-gnu/libtinfo.so.5 /fakeroot/lib/x86_64-linux-gnu/libtinfo.so.5
sudo cp /lib/x86_64-linux-gnu/libdl.so.2 /fakeroot/lib/x86_64-linux-gnu/libdl.so.2
sudo cp /lib/x86_64-linux-gnu/libc.so.6 /fakeroot/lib/x86_64-linux-gnu/libc.so.6
sudo cp /lib64/ld-linux-x86-64.so.2 /fakeroot/lib64/ld-linux-x86-64.so.2
Bash will now run in the chroot environment. Though we aren’t done setting things up yet. In part two, we’ll finish up the configuration needed to get the chroot environment working.