As of version 1.7.0, yule is able to chroot itself after startup and initialization, either by using the command line option
bash$
yule --chroot=
/chrootdir
or by requesting it in the configuration file:
[Misc]
SetChrootDir=path
In order to prepare for the chroot jail, the following is required:
Tip | |
---|---|
In the
|
Compile normally. Make sure you use either
dev/random
(default if existing) or EGD (Entropy Gathering Daemon) for the entropy device. Ifdev/random
does not exist, the default is the 'standard unix entropy gatherer', which uses the output of many system commands, and therefore is not suitable within a chroot jail.Install with the command(s):
bash$
make DESTDIR=
/chrootdir
installbash$
make DESTDIR=
/chrootdir
install-userbash$
make install-boot
Fix the path to the yule binary in the runlevel start/stop script installed by the last command.
Prepare the chroot environment. Basically, you need under
/chrootdir
(a) an entropy device, either
dev/random
,dev/urandom
, or an EGD (Entropy Gathering Daemon) socket,(b) minimum
etc/passwd
,etc/group
files, at least with entries for root and the unprivileged yule user. Replace passwords with an asterix, and make sure the homedirectory of the unprivileged yule user is correct within the chroot jail.(c) files required for DNS:
etc/nsswitch.conf
,etc/hosts
,etc/host.conf
,etc/resolv.conf
,etc/services
,etc/protocols
.Create a symlink
/etc/yulerc
to/chrootdir/etc/yulerc
(no, it will not work the other way round).
Because yule chroots after startup, there is no need to copy shared libraries into the chroot jail. They will be loaded upon startup, before the chroot() occurs.
Tip | |
---|---|
If you are using syslog logging, you need a
|
Tip | |
---|---|
If you are using a GnuPG- or signify-signed configuration, you will need a working copy of gpg or signify, respectively, in the chroot jail. |