I've Debian Squeeze running and setup a chroot environment (/jail) with debootstrap.
As seen in a tutorial, I mounted the following:
proc on /jail/proc type proc (rw)
devpts on /jail/dev/pts type devpts (rw)
Within the jail, i've running an additional sshd on a different port as the "parent" system.
So far, all is working fine and as expected.
But I just noticed, that i am able to change the host IP address from within the jail. Is this a normal behaviour? I tought, that the chrooted environment cannot change things on the "real" system? But after changing ip address and running
/etc/init.d/networking restart
the system was only reachable via the new ip address.
Please can someone explain, why this behaves like it does? Is there a way to prevent this? So that everything within the jail, "stays in the jail"
Thank you very much in advance.
Casper
chroots ONLY change the visible root of the filesystem for child-processes of the chroot-ing command. Everything else - sending signals, manipulating the kernel, etc- is unaffected. It quite simple to leave the chroot again, if it is the only security you have in place.
Take a look at LXC, Linux-VServer or OpenVZ for proper containers in Linux, that do protect from more than accidental directory traversals.