chroot users

Discussion in 'General' started by Poliman, Jul 17, 2017.

  1. Poliman

    Poliman Member

    I would like to know that processes etc. created by chrooted users are limited to chrooted account or they impact whole server?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    chroot simply changes the root directory which processes see. processes created by chrooted users run within the chroot environment - ie. their root directory will be inherited. whether they "impact" the server depends on what you mean by "impact" - they do take up memory, cpu time, i/o, then can use disk space, etc. They simply don't see/can't access files outside their root directory (short of bugs/vulnerabilities or intentionally making it so that they could, eg. a hardlink to a file normally outside the chroot).
     
  3. Poliman

    Poliman Member

    I mean more like. User1 has some application which run. Does the User2 will see procesess of this application? I think about some situation that some user has some application which i.e. get malicious code, virus etc. and it will eat more and more resources. If root kill that application does it impact to other users? Can applications of particular user be "chrooted"?
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Not if the chroot environment is created with a typical jailkit setup, as access to process info is done via the /proc filesystem, and normally that is not available inside your chroot.

    Chroot doesn't limit 'resources', eg. memory use, cpu time, disk space, etc., so yes, the processes running under one chroot can/will definitely impact processes running under a different chroot. If you need resource isolation you need to look at a virtualization technology - containers sound like just what you're wanting.

    Yes. And continuing from the paragraph above, you might also look at docker containers if you have an "isolate each application" preference/mindset.
     
    Poliman likes this.
  5. Poliman

    Poliman Member

    Perfect answer. I will find out what I can do.
     

Share This Page