9. Chroot

As of version 1.7.0, yule is able to chroot itself after startup and initialization, either by using the command line option

        bash$ yule --chroot=/chrootdir
      

or by requesting it in the configuration file:

	[Misc] 
	SetChrootDir=path 
      

In order to prepare for the chroot jail, the following is required:

[Tip]Tip

In the scripts subdirectory of the source directory there is a script chroot.sh to perform steps (4) and (5) (only for Linux).

  1. Compile normally. Make sure you use either dev/random(default if existing) or EGD (Entropy Gathering Daemon) for the entropy device. If dev/random does not exist, the default is the 'standard unix entropy gatherer', which uses the output of many system commands, and therefore is not suitable within a chroot jail.

  2. Install with the command(s):

                  bash$ make DESTDIR=/chrootdir install
                  bash$ make DESTDIR=/chrootdir install-user
                  bash$ make install-boot
                
  3. Fix the path to the yule binary in the runlevel start/stop script installed by the last command.

  4. Prepare the chroot environment. Basically, you need under /chrootdir

    (a) an entropy device, either dev/random, dev/urandom, or an EGD (Entropy Gathering Daemon) socket,

    (b) minimum etc/passwd, etc/group files, at least with entries for root and the unprivileged yule user. Replace passwords with an asterix, and make sure the homedirectory of the unprivileged yule user is correct within the chroot jail.

    (c) files required for DNS: etc/nsswitch.conf, etc/hosts, etc/host.conf, etc/resolv.conf, etc/services, etc/protocols.

  5. Create a symlink /etc/yulerc to /chrootdir/etc/yulerc (no, it will not work the other way round).

Because yule chroots after startup, there is no need to copy shared libraries into the chroot jail. They will be loaded upon startup, before the chroot() occurs.

[Tip]Tip

If you are using syslog logging, you need a dev/log socket in the chroot jail. Modern syslog incarnations will allow you to have an additional socket using the command:

          bash$ syslogd -a /chrootdir/dev/log
        
[Tip]Tip

If you are using a GnuPG- or signify-signed configuration, you will need a working copy of gpg or signify, respectively, in the chroot jail.