Introduction
A chroot-ed process is a process where its environment has been modified so that its root directory, and all of its children's, is the not the same as the main root directory of the system mounted on "/". By modifying the root directory of a process (AKA chroot or "change root"), the process is limited to only accessing the content of certain directory and its subdirectories. A program that is run in such a modified environment cannot access, and therefore consequently cannot modify, files outside the designated directory tree. Chrooting is a very common security practice.
Procedure
The following command lists all the processes on your system that are currently chrooted. It will list the process ID, the name of the process and also the designated root directory of that process respectively.
for file in `find /proc/ -type l -name "root" -print 2> /dev/null | grep -Eiv /task/ 2> /dev/null`; do PID=`ls -d $file 2> /dev/null| awk -F "/" '{print $3}'` && printf "%s = %s = %s\n" "$PID" `ps -p "$PID" 2> /dev/null | tail -n1 | awk '{print $4}'` `readlink $file 2> /dev/null` | grep -Eiv "(= /$|^\s*=\s*$|^.*?=\s*$)";done
Here is an example of what this command is supposed to return:
for file in `find /proc/ -type l -name "root" -print 2> /dev/null | grep -Eiv /task/ 2> /dev/null`; do PID=`ls -d $file 2> /dev/null| awk -F "/" '{print $3}'` && printf "%s = %s = %s\n" "$PID" `ps -p "$PID" 2> /dev/null | tail -n1 | awk '{print $4}'` `readlink $file 2> /dev/null` | grep -Eiv "(= /$|^\s*=\s*$|^.*?=\s*$)";done
1596 = ossec-analysisd = /var/ossec
1614 = ossec-remoted = /var/ossec
1635 = ossec-monitord = /var/ossec
2059 = p0f = /var/cpanel/userhomes/cpanelconnecttrack
2979 = pop3-login = /run/dovecot/login
2980 = imap-login = /run/dovecot/login
2981 = anvil = /run/dovecot/empty
2983 = pop3-login = /run/dovecot/login
2984 = imap-login = /run/dovecot/login
Comments
0 comments
Article is closed for comments.