As of version 1.7.0, yule is able to chroot itself after startup and initialization, either by using the command line option
bash$ yule --chroot=/chrootdir
or by requesting it in the configuration file:
[Misc]
SetChrootDir=path
In order to prepare for the chroot jail, the following is required:
![[Tip]](stylesheet-images/tip.png) | Tip |
|---|---|
In the
|
Compile normally. Make sure you use either
dev/random(default if existing) or EGD (Entropy Gathering Daemon) for the entropy device. Ifdev/randomdoes not exist, the default is the 'standard unix entropy gatherer', which uses the output of many system commands, and therefore is not suitable within a chroot jail.Install with the command(s):
bash$make DESTDIR=/chrootdirinstallbash$make DESTDIR=/chrootdirinstall-userbash$make install-bootFix the path to the yule binary in the runlevel start/stop script installed by the last command.
Prepare the chroot environment. Basically, you need under
/chrootdir(a) an entropy device, either
dev/random,dev/urandom, or an EGD (Entropy Gathering Daemon) socket,(b) minimum
etc/passwd,etc/groupfiles, at least with entries for root and the unprivileged yule user. Replace passwords with an asterix, and make sure the homedirectory of the unprivileged yule user is correct within the chroot jail.(c) files required for DNS:
etc/nsswitch.conf,etc/hosts,etc/host.conf,etc/resolv.conf,etc/services,etc/protocols.Create a symlink
/etc/yulercto/chrootdir/etc/yulerc(no, it will not work the other way round).
Because yule chroots after startup, there is no need to copy shared libraries into the chroot jail. They will be loaded upon startup, before the chroot() occurs.
| Tip |
|---|---|
If you are using syslog logging, you need a
|
| Tip |
|---|---|
If you are using a GnuPG- or signify-signed configuration, you will need a working copy of gpg or signify, respectively, in the chroot jail. |