chroot jail with FUSE/funionfs
Most scripts trying to set up chroot jails copy a lot of files into the jail itself. This used to be necessary, but with FUSE, we can actually do better. Here is a simple shell scripts that uses FUSE (in the form of funionfs) in order to set up a chroot jail:
#!/bin/sh -x
mkdir jail || exit 1
for dir in usr etc bin lib lib64; do
test -d /$dir || continue
mkdir jail/$dir
mkdir jail/.$dir
funionfs -o dirs=/$dir=RO:jail/.$dir -o allow_other NONE jail/$dir
donemkdir jail/etc
cp /etc/passwd jail/etc
mkdir jail/tmp
chmod 777 jail/tmp
mkdir jail/home
chmod 777 jail/homeecho === entering jail ===
chroot jail su www-data
echo === leaving jail ===for dir in jail/*; do
fusermount -u $dir
donerm -rf jail
Of course, this is just a demonstrator. To flesh out this idea, it would probably be best to write a new FUSE file system that could take care of importing all the necessary directories in one step, as well as providing features like disk quotas for the jailed application.
Keep in mind that a chroot jail does not prevent network connections, so you probably don’t want to use this for sandboxing untrusted applications.
