Richard Bucker


Posted at — May 19, 2020

chroot is helpful in that you can sandbox the execution path and if someone manages to escape your app that the amount of data they are going to discover is limited. For example if you have a config file with URI, username and password stored in a file… if they manage to get access to the chroot then they may not be able to open the file without the right tools… so for example do not put the cat application in the chroot.

If you’re exposing a web-like service… you won’t be able to share ports across more than on service. For example if this is a simple static page then you need to deploy a different port per application and then add some sort of proxy like haproxy which multiplexes ports 80 and 443 to the individual services. That also means that the individual services should be attached to localhost instead of Leaving the proxy to bridge the external to internal.

If you need a dedicated IP (shared comon port) per chroot then you really need a VM or a container. Many modern Linus OS’ are using systemd giving you access to systemd-netorkd and so on. ( subjet for an upcoming)

PS: chroot while similar is not to be confused with jail.