Jailed Internet Services

Liam Widdowson

Many security analysts recommend that a physical server run a single service only. This segmentation of services provides an extra layer of protection in the event of an attack. If, for example, a cracker compromises a server through a buffer overflow in Sendmail, the cracker would not be able to alter Web server content because it would be stored on a separate server that would not be vulnerable to the Sendmail hole.

However, it may be impractical from a systems management or financial point of view to place each distinct service on a separate physical machine. In this situation, systems administrators could still enjoy the benefits of separate hosts by running each service in a virtual machine. Virtual machine software (such as VMWare [1] and Bochs [2]) allows administrators to run separate instances of operating systems simultaneously on a single host. However, this still leaves a systems management problem -- extra operating systems to maintain, increased system complexity, as well as performance degradation due to virtual machine overhead.

Fortunately, UNIX variants possess the chroot(2) system call. This system call causes a particular directory to become the root directory of the calling process. This allows the process to be locked into a virtual root directory, commonly referred to as a "jail" somewhere along the directory tree. For example, an application that executes the following C code (error checking omitted) will have its root directory set to /var/chroot and will open the file /tmp/test.t