I created /opt/chroot, create bin lib and other directories in it, copied libraries, bash and perl binaries in proper places. Also I placed my script into /opt/chroot/bin/.
Now I can run the script such a way:
# chroot /opt/chroot script.pl
There are two things that I am concerned about:
- Script gains root rights.
- There is a perl interpreter inside the chrooted environment.
How can I avoid these security holes?
Chroot's on linux are not for security, if you have root, or mount abilites inside a chroot it's easy to break out.
You should obviously drop root using su or similar, as long as the script doesn't have permissions to modify the interpreter files there shouldn't be a problem.
To do this you need to add a larger hunk of code in a copy of su, and the core bits of PAM.
Something like jailkit might be an easier way to manage this:
http://olivier.sessink.nl/jailkit/index.html
Why don't you chroot inside of your perl script? In that way you don't need all the extra stuff inside of your chroot jail.
Just add chroot() http://perldoc.perl.org/functions/chroot.html at someplace in your script, followed by chdir("/").
After that, drop your privileges and you are set.