As of version 1.7.0, yule is able to chroot itself after startup and initialization, either by using the command line option
or by requesting it in the configuration file:
In order to prepare for the chroot jail, the following is required:
Compile normally. Make sure you use either
if existing) or EGD (Entropy Gathering Daemon) for the
entropy device. If
dev/random does not
exist, the default is the 'standard unix entropy
gatherer', which uses the output of many system
commands, and therefore is not suitable within a chroot
Install with the command(s):
Fix the path to the yule binary in the runlevel start/stop script installed by the last command.
Prepare the chroot environment. Basically, you
(a) an entropy device, either
dev/urandom, or an
EGD (Entropy Gathering Daemon) socket,
etc/group files, at
least with entries for root and the unprivileged
Replace passwords with an asterix, and make sure the
homedirectory of the unprivileged
yule user is
correct within the chroot jail.
(c) files required for DNS:
Create a symlink
/chrootdir/etc/yulerc (no, it will not work
the other way round).
Because yule chroots after startup, there is no need to copy shared libraries into the chroot jail. They will be loaded upon startup, before the chroot() occurs.
If you are using syslog logging, you need a
If you are using a GnuPG- or signify-signed configuration, you will need a working copy of gpg or signify, respectively, in the chroot jail.