chroot Exercise: cat

[00:00:01]
>> Brian Holt: So as an exercise, just to kind of prove that you can, I'm gonna say, why don't you go do cat? And make that work for yourself, and then you can actually read your secret file inside of your rooted directory.
>> Brian Holt: Let's do cat, so the first thing we're gonna do is we're gonna copy slash bin slash cat into my new root slash bin core we're gonna say LDD slash bin slash cat.

[00:00:39]
And looks we just have these two so we're gonna say copy blah, copy blah into. That's gonna go into my new route / lib, okay? So now we're gonna change route root, into my new root and we're gonna run bash and we're gonna say cat secret txt and it says, my super secret thing.

[00:01:19]
>> Brian Holt: It's pwd work it does, okay so you can see here, according to this process, it thinks that it's in its root directory, which is wild, right? It's not, right, it's in my new whatever I called it, my new root. So, you could call this process that we're in right now jailed, right?

[00:01:40]
It cannot see outside of the directory that it's in right now. So, if you had Coca-Cola and Pepsi running next to each other on the same server and you jailed both of their processes, no matter what, they're not gonna be able to at least use the file system to navigate to the other one, right.

[00:01:57]
And you can imagine that they're not privileged that they can't just exit out of their jail, right, that you just dump them into the jailed process, and you don't tell them you're in a jailed process. So, the first step is locking down the file system, for us building containers.

[00:02:14]
One question you might ask me is, is there a less burdensome way than having to manually copy everything by hand? To get a new bare metal instance of a Linux distribution, and the answer is there is, and we're gonna show you shortly how to do that, but the difference is this one I'm just literally just copying stuff over.

[00:02:38]
The shortcut I'm gonna show you, it's gonna download about 150 megabytes worth of stuff cuz it's gonna download a brand-new copy of Debian, which is on one hand, it's one command, so it's less burdensome. On the other hand, it takes a minute or two to do so, so you're gonna have to weigh your options there.

[00:02:58]
>> Speaker 1: Question.
>> Brian Holt: Yeah.
>> Speaker 1: So, whenever you create something like this and you have to replicate the same structure that the binary in this case requires, otherwise,
>> Brian Holt: It won't know where to find them- [INAUDIBLE].
>> Brian Holt: Yeah, exactly, that's why the paths are important. And you'll notice here that I had you put in a lib 64, sometimes there will be 64 libraries there, and you can just tell by this is lib, it'll say lib 64 here instead of lib.

[00:03:27]
For whatever reason this particular, I actually don't know why it changes from time-to-time, but in this particular case, we didn't have anything to copy to the lib 64 directory, but sometimes you will, right?