http://yarchive.net/comp/linux/chroot.html
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells
In other words, don't rely on chroot for security -- it's not meant to be a security tool. I personally use it to browse at work without leaving a too obvious a trail (nothing shady -- part of my job is to apply for permanent jobs, but it is not necessarily in the interest of my current employer to see me succeed. Academia is a weird place.)
Original post:
There are many reasons why you'd want to secure your browser -- ranging from paranoia to justifiable cautiousness (you're probably visiting the wrong kind of sites...).
A chroot environment doesn't make you anonymous -- it just helps sandbox your applications. To protect your anonymity you'll want to prevent your browser from setting cookies, and use a proxy via an ssh tunnel to encrypt your traffic and hide your true IP address. There's no silver bullet for these things.
I've chroot:d things in the past when compiling 32 bit applications on 64 bit machines, but for this guide I'm leaning heavily on this post: https://help.ubuntu.com/community/BasicChroot
sudo apt-get install coreutils debootstrap
Time to get rocking. Be aware that you should have a bit of free space on your target drive.
sudo debootstrap --arch amd64 wheezy /media/chroot/ http://ftp.au.debian.org/debian/
which gets stuff underway:
I: Retrieving InRelease I: Checking Release signature I: Valid Release signature (key id 9FED2BCBDCD29CDF762678CBAED4B06F473041FA) I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... I: Checking component main on http://ftp.au.debian.org/debian... I: Retrieving libacl1 I: Validating libacl1 I: Retrieving apt [..] I: Configuring dpkg-dev... I: Configuring build-essential... I: Base system installed successfully.
So far, so good.
Create a shell script, e.g. chroot.sh, with the following in it:
xhost +
sudo mount -o bind /proc /media/chroot/proc sudo cp /etc/resolv.conf /media/chroot/etc/resolv.conf sudo chroot /media/chroot
Run it everytime you want to enter you chroot environment:
sh chroot.sh
In the chroot shell, do
apt-get install locales sudo vim echo 'export LC_ALL="C"'>>/etc/bash.bashrc echo 'export LANG="C"'>>/etc/bash.bashrc echo 'DISPLAY=:0.0' >> /etc/bash.bashrc source /etc/bash.bashrc adduser sandbox usermod -g sudo sandbox echo 'Defaults !tty_tickets' >> /etc/sudoers apt-get install iceweasel su sandbox cd ~
Launch iceweasel/firefox:
sandbox@beryllium:/$ firefox
And you're pretty much done.
Next time you want to launch a sandboxed version of firefox just do:
me@beryllium:~$ sh chroot.sh access control disabled, clients can connect from any host root@beryllium:/# su sandbox sandbox@beryllium:/$ firefox
No comments:
Post a Comment