You are not logged in.
- Topics: Active | Unanswered
#1 2012-03-13 18:14:49
- TheHebes
- Member
- From: New England
- Registered: 2011-07-07
- Posts: 138
Chroot for individual users
The security advantages to providing each user with a subfilesystem in their home directory that is automatically chrooted'd into at login seems pretty good. Also, it would help prevent "junk" (stuff resulting from installations/ uninstallations, normal system operation, etc.) from building up in important system directories (most importantly, /etc). Are there any shortcomings to such a model?
Laptops:
MSI GS60 Ghost
Asus Zenbook Pro UX501VW
Lenovo Thinkpad X120e
Offline
#2 2012-03-13 18:34:22
- karol
- Archivist
- Registered: 2009-05-06
- Posts: 25,440
Re: Chroot for individual users
It will probably waste some space + http://en.wikipedia.org/wiki/Chroot#Gra … _on_chroot
Offline
#3 2012-03-14 02:26:30
- TheHebes
- Member
- From: New England
- Registered: 2011-07-07
- Posts: 138
Re: Chroot for individual users
Well, yes, naturally, it IS after all a separate filesystem 
But my real question is if it will cause any other detrimental effects, such as perhaps decreased performance, permissions errors, whatever?
Laptops:
MSI GS60 Ghost
Asus Zenbook Pro UX501VW
Lenovo Thinkpad X120e
Offline
#4 2012-03-22 16:52:36
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: Chroot for individual users
Chroot isn't really a security feature, if you want to use it that way. Separate virtual machines seems like a more straightforward way to isolate users, or just letting them install software in their ~/bin .
Offline
#5 2012-03-22 17:33:58
- hadrons123
- Member
- From: chennai
- Registered: 2011-10-07
- Posts: 1,249
Re: Chroot for individual users
When using separate virtual machines, the user shall still have access to the other applications in the host, which itself doesn't mean good security , right?
LENOVO Y 580 IVYBRIDGE 660M NVIDIA
Unix is user-friendly. It just isn't promiscuous about which users it's friendly with. - Steven King
Offline
#6 2012-03-23 00:20:47
- cfr
- Member
- From: Cymru
- Registered: 2011-11-27
- Posts: 7,144
Re: Chroot for individual users
The user has access to other applications in the sense of being able to run them, you mean? But not in the sense that they can alter those applications or write to /etc, for example, right? Not unless you give them permissions...
If each user has a separate filesystem, do you then rely on each user to keep it up to date? Or do you then need some system to enforce that, as well as updating the main install? And each user will have to build any packages desired from AUR and keep those up to date, as well. And the applications run by users will all be installed as owned by them with their privileges, right? Seems like that would make it easier for an imposter to be installed masquerading as, say, ls. And then it depends on how far the chroot can be relied on...
Just trying to think it through... It sounds very complicated and I always think complicated is dangerous because it is that much harder for a human being to see the obvious...
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
#7 2012-03-25 20:14:42
- anrxc
- Member
- From: Croatia
- Registered: 2008-03-22
- Posts: 834
- Website
Re: Chroot for individual users
> The security advantages to providing each user with a subfilesystem in their
> home directory that is automatically chrooted'd into at login seems pretty good.
Not really they can be breaken out of, look into LXC containers for a more advanced solution building
on top of old chroot solutions http://lxc.sourceforge.net
You need to install an RTFM interface.
Offline