JB's Blog

/au/SysAdmin

Symbolic links and Chroot

with 38 comments

Found this awesome little tip in the proftpd manual on how to work around symoblic links issues.

There are two types of links in Unix: hard and symbolic.

A hard link is a file that is, for all intents and purposes, the file to which it is linked. The difference between a hardlink and the linked file is one of placement in the filesystem. Editing the hardlink edits the linked file. One limitation of hard links is that linked files cannot reside on different filesystems. This means that if /var and /home are two different mount points in /etc/fstab (or /etc/vfstab), then a file in /var/tmp cannot be hardlinked with a file in /home:
> pwd
/var/tmp
> ln /home/tj/tmp/tmpfile tmplink
ln: cannot create hard link `tmplink’ to `/home/tj/tmp/tmpfile’: Invalid cross-device link

A symbolic link (also referred to as a “symlink”) is a file whose contents contain the name of the file to which the symbolic link points. For example:
lrwxrwxrwx 1 root root 11 Mar 2 2000 rmt -> /sbin/rmt

The file rmt contains the nine characters /sbin/rmt. The reason symbolic links fail when chroot(2) is used to change the position of the root (/)of the filesystem is that, once / is moved, the pointed-to file path changes. If, for example, if chroot(2) is used to change the filesystem root to /ftp, then the symlink above would be actually be pointing to /ftp/sbin/rmt. Chances that that link, if chroot(2) is used, now points to a path that does not exist. Symbolic links that point to nonexistent files are known as dangling symbolic links. Note that symbolic links to files underneath the new root, such as symlinks to a file in the same directory:
> pwd
/var/ftp
> ls -l
-rw-r–r– 1 root root 0 Jan 16 11:50 tmpfile
lrwxrwxrwx 1 root root 7 Jan 16 11:50 tmplink -> tmpfile

will be unaffected; only paths that point outside/above the new root will be affected.

Filesystem Tricks
When chroot is used symlinks that point outside the new root (the user’s home directory in this case) will not work. To get around this apparent limitation, it is possible on modern operating systems to mount directories at several locations in the filesystem.

To have an exact duplicate of the /var/ftp/incoming directory available in /home/bob/incoming and /home/dave/incoming, use one of these commands:

Linux
mount –bind /var/ftp/incoming /home/bob/incoming

Gets around the symbolic links issue.

Written by JB Hewitt

September 30th, 2004 at 11:37 am

Posted in Linux

«
»
  • http://video-poker.ownsthis.com Video Poker
  • tothit

    Thanks !!!

  • http://www.texas-holdem-p.com texas holdem

    I think there is nothing to be commnented
    texas holdem     here :)  right free 
    online texas holdem     here. But right away here
    http://www.texas-holdem-p.com you can find the right info for play texas holdem
    now.

  • http://www.online-poker-888.us online poker

    I think there is nothing to be commnented
    online poker     here :)  right free 
    online poker     here. But right away here
    http://www.online-poker-888.us you can find the right info for play online poker
    now.

  • http://www.online-poker-888.us online poker

    Here are many reasons I post here , thanks for posts before but I really
    recommen this website online poker . Please refer to our
    friends and play online poker also free
    online poker     http://www.online-poker-888.us to our best greetings.

  • Chris

    I’ve been through a hundred threads saying there is no way around the chroot symlink problem. This page is incredibly helpful. OpenBSD doesn’t have “mount -bind”, but I believe there is a “mount_union” command which may work. I am investigating it now. I hope someone finds this as helpful as I did.

  • http://www.online-poker-888.info online poker
  • http://www.blackjack-a.com blackjack
  • Kasper

    Thanks for the tip. Here is my two cents.
    I’m planning to run several Chrooted services on a single host. Evry service needs some executables, some libs etc., but i have only limmited storage capacity available. I don’t want to break chrooting by mounting /bin, /usr/lib etc. in each service jail.
    So i intend to do this:
    - Copy every file, needed by more than one service, to its own directory.
    - For alll services make mountpoints for each file the service needs in its jail.
    - Mount –bind everything
    - Use symlinks to get the structure needed in each service jail.
    I might use LIDS (to restrict capabilities of root) for further security.

  • http://www.texas-hold--em.us texas hold em
  • http://www.texas-holdem-p.com texas holdem
  • http://www.texas-hold-em-a.com texas hold em
  • http://www.texas-holdem-i.com texas holdem
  • http://www.dipills.com Online Pharmacy

    Interesting article… Haven’t heard about it yet.

  • http://www.spitrekop.com kuru

    whats up with these spammers

  • PachjdlkHailey

    I meailing this to my friend he has got great interest in this.

    Have a nice day
    james
    ______________________________________________
    watch gossip girl online | Nintendo Ds cases | cataract eye drops

  • ElilarasuPrate

    i added this to my collge report

    respect
    marshel
    ______________________________________________
    whiteboard | magnetic calendar | white board

  • ElilarasuPrate

    I just bookmarked this for my future referance.

    respect
    jaine
    ______________________________________________
    Hidden cameras | infrared illuminators | snake camera

  • ElumalaiP

    I think a few pictures might help this blog

    Thanks
    smith
    ______________________________________________
    Medical alert systems | <a href=”http://www.SMARTSOURCENEWS.com ” target=”_blank”>pass a drug test | <a href=”http://www.PASS-ALL-DRUG-TEST.com ” target=”_blank”>pass hair follicle drug test

  • ElumalaiP

    i added this to my collge report

  • Fooper

    You got a nice blog up there.

    Thanks
    leabs
    ______________________________________________
    Polywood lawn furniture | recycled plastic outdoor furniture | casual living patio furniture

  • Fooper

    You got a nice blog up there.

    Have a nice day
    mark
    ______________________________________________
    debt management firm | Gucci Handbag | Photo on Canvas

  • GuerreroMaguire

    I already diged this my firend.

    regards
    jimmy clark
    ______________________________________________
    passing drug test | pass drug test | pass drug testing

  • GaitherNguyen

    I already diged this my firend.

    Thanks
    jimmy clark
    ______________________________________________
    passing drug test | ways to pass a drug test | pass a drug test

  • http://www.yournationwidemortgage.com Home mortgage Colorado

    i have posted your blog on my site

    regards
    sam kina
    ______________________________________________

  • http://www.computermateinc.com medical records software

    this is nice information need to know more

    Have a nice day
    jacky hain
    ______________________________________________

  • http://www.canvasart.com Photo to Pop Art

    i have posted your blog on my site

    Have a nice day
    paul smith
    ______________________________________________

  • http://www.planethondanj.com/ honda dealerships new jersey

    where do i get more information on this

    respect
    shain von
    ______________________________________________

  • http://www.rinrobyn.com swimming pool designers

    i have posted your blog on my site

    respect
    danny deqsta
    ______________________________________________

  • http://www.lexusofmtkisco.com/ lexus mt kisco

    this is nice information need to know more

    Thanks
    anglena jolly
    ______________________________________________

  • http://www.southhillshonda.com honda dealers pittsburgh

    where do i get more information on this

    regards
    david dhawan
    ______________________________________________

  • http://watchthevampirediaries.com watch vampire diaries online

    Nice Post I already digged this

    Have a nice day
    micky jell
    ______________________________________________

  • http://www.watchtrueblood.tv watch true blood online

    Nice Post I already digged this

    respect
    fousi jill
    ______________________________________________

  • http://www.buddylodge.com best hotels bangkok

    It is very interesting indeed

    regards
    mike gorge
    ______________________________________________

  • http://www.seattle-divorce-lawyer.com/seattle-child-support-attorneys.html seattle child support attorney

    I have bookmarked your site

    regards
    kane tiddy
    ______________________________________________

  • http://www.westcoparking.com/cgi-bin/item/WPT-MGT-19 Manual Gate

    Well this is very interesting indeed

    Have a nice day
    pamle rogge
    ______________________________________________

  • http://www.westcoparking.com/cgi-bin/category/Barrier-Gate-Operators Gate opener

    Thank you for your info

    respect
    ropes mieds
    ______________________________________________

  • http://twitter.com/estebanfeldman Esteban Feldman

    Hi, thanks for the tip. One question though. How to make the mount –bind stick after reboot?

    Thanks